Attackers have unleashed new ransomware to take advantage of those unable to download the widely popular mobile game, Pokemon Go. Ransom_POGOTEAR.A was recently discovered by Trend Micro masquerading as a Pokemon GO application for Windows 10 app. It was originally spotted by Michael Gillespie, a security researcher who has identified and decrypted plenty of other locker programs.
The malware is an updated version of the Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people. The ransomware scans a victim’s drive and encrypts any file with a certain extension – as per usual.
The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. The website was compromised by a Brazilian hacker and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware.
The ramsomware is designed to create a ‘Hack3r’ backdoor account in the victim’s Windows machine. Once the user downloads and installs the ransomware, it creates a user account and adds it to the Administrator group. It then hides the account by configuring a Windows registry key from the login screen. Another feature creates a network share on the victim’s computer which attempts to spread itself via removable media. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokemon GO ransomware will run when the victim logs into Windows.
The ransomware is currently targeting Arabic-speaking users, following the move by many Arab countries to ban or limit the game. It locks a user’s files, presenting them with a Pikachu themed ransom note. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which means ‘Untitled’ in French which can be the developer’s origin.
The ransomware has a static AES encryption key of “123vivalalgerie”. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet. This shows the ransomware is still under development. Once it is fully released, the purpose of the shared network will become clear.
“While most ransomware infections encrypt the data, delete themselves, and then display a ransom note, leaving no traces; this ransomware’s developers only encrypt the files so that the victim pays the ransom. Inlike others, it creates a backdoor account in WINDOWS so that the developer can gain access to a victim’s computer at a later date,” said Lawrence Abrams of Bleeping Computer who analyzed the PokemonGo ransomware.
After displaying ‘.locked’ on each infected file, a ransom message in Arabic is displayed unto the screen instructing the user to contact ‘firstname.lastname@example.org’ for payment procedure.
The backdoor could allow a hacker to remotely connect to a victim’s computer at a later stage to perform other malicious tasks.
This isn’t the first time researchers have run into fake copies of the popular smartphone virtual reality game.
At the time of Pokémon Go’s release back in early July, researchers came across an APK that claimed to be a copy of the game available on a non-Google URL which turned out to be a malicious program that loaded the DroidJack remote access trojan (RAT) onto users’ Android devices.
This is, however, the first documented case of ransomware that has taken on the hit smartphone game’s identity.
To avoid ransomware, users are encouraged to regularly back up files and to have an updated security solution. With the introduction of game in new regions and increasing craze around it, cybercriminals will find more ways to capitalize on it. Users should remain vigilant of threats that may ride along the popularity of such games.