New crypto-ransomware encrypts video games files

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
A new piece of ransomware that (mis)uses the Cryptolocker "brand" has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software.

crypto-12032015.jpg

But not all video games, and not the most popular ones. It targets files associated with single users games Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin's Creed, S.T.A.L.K.E.R., Resident Evil 4, Bioshock 2; and online games World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2.

It encrypts company specific files for various EA Sports, Valve and Bethesda games, files associated with the Steam gaming platform, and those of game development software such as RPG Maker, Unity3D, and Unreal Engine.

The ransomware also encrypts iTunes-related files, which is also a first. All in all, this variant targets 185 file extensions.

"Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches," noted Vadim Kotov, Senior Security Researcher at Bromium. "Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music. Even professional adults may be frustrated by these attacks if they lose their games along with the rest of their personal data."

The malware itself might look likeCryptolockerat first - it uses a similar visual identity - but when their code is compared, less then ten percent is the same.

It is currently being distributed via a compromised WordPress site that redirects users to a page hosting the Angler exploit kit.

"Bromium analysis determined this instance of Angler checks for the presence of several virtual machine artefacts, Fiddler and some of the anti-virus products using Microsoft.XMLDOM and the res:// protocol," Kotov shared. If the target system runs none of them, the kit will run exploits for the CVE-2015-0311 Flash and CVE-2013-2551 IE flaws.

"The payment procedure is operated through a website located in the TOR domain," notes Kotov. "Each instance of the ransomware has its own BTC address."

The files are encrypted by using the AES cipher, and encrypted files gain the.eccextension. It's still unknown how the main encryption key pair is created. Also, the ransomware creates akey.datfile that has yet to be successfully analyzed, and perhaps could be used to decrypt the data.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
The brilliance of PC gaming with Window OS. That is one thing about consoles, they aren't affected by common malware. :D
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top