A piece of ransomware that
claims to be a new variant of the notorious CryptoLocker is designed to
encrypt a wide range of files stored on infected systems, including
files associated with video games.
The new threat, dubbed “TeslaCrypt,”
was first spotted by researchers at the security firm Emsisoft in late
February, Bleeping Computer reported. The malware doesn’t appear to have
anything to do with CryptoLocker, but cybercriminals are trying to cash
in on the now defunct ransomware’s notoriety.
Researchers at Bromium have also
analyzed the malware and discovered that it is distributed through a
compromised WordPress website set up to redirect visitors to a page
hosting the Angler exploit kit. The Angler landing page is designed to
check for the presence of virtual machines and antivirus products, after
which it drops the ransomware by exploiting a Flash Player
vulnerability patched by Adobe in January or an old Internet Explorer
flaw.
Once it infects a system, the malware
informs victims that their photos, videos and documents have been
encrypted. Unlike other ransomware, TeslaCrypt also encrypts files
associated with video games, including Call of Duty, Diablo, Fallout,
Minecraft, Warcraft, F.E.A.R, Assassin’s Creed, Resident Evil, World of
Warcraft, League of Legends, and World of Tanks.
In addition to profile data, saved
games, mods, and maps, the ransomware encrypts files associated with
Steam and game development software such as Unity3D, Unreal Engine, and
RPG Maker. The malware targets a total of 185 file extensions, including
iTunes-related files.
“Encrypting all these games demonstrates
the evolution of crypto-ransomware as cybercriminal target new niches.
Many young adults may not have any crucial documents or source code on
their machine (even photographs are usually stored at Tumblr or
Facebook), but surely most of them have a Steam account with a few games
and an iTunes account full of music,” Bromium researcher Vadim Kotov
wrote in a blog post. “Non gamers are also likely to be frustrated by
these attacks if they lose their their personal data.”
Researchers at Webroot have also
analyzed TeslaCrypt. They noted that victims are presented with a “free
decryption” button, which isn’t surprising considering that some
ransomware variants allow users to decrypt a few files for free.
However, in this case, when the button is clicked, users are taken to a
site where they’re told to pay 1.5 Bitcoin (approximately $415) or
$1,000 through PayPal My Cash Card to recover the files.
“Bitcoin is the preferred method of
payment as it is a untraceable secure method of receiving payment from
you so they give you a better price of only $415. If you wish to use
payment systems like PayPal My Cash Card, then the price increases to
$1000 (this is because they lose a percentage through the middleman).
The choice is very clear that they want the hefty discount to sway you
into using bitcoin as payment,” Webroot researchers wrote.
TeslaCrypt is not the only threat
targeting gamers these days. Researchers at Malwarebytes have spotted a
campaign designed to phish the Steam credentials of Counter-Strike:
Global Offensive (CS:GO) players and drop a piece of malware onto their
computers.
No comments:
Post a Comment