A new Crypto-Ransomware malware program attacks to extort money from gamers by encrypting game saves and other user-generated files for popular computer games.Data files for more than 20 games can be affected by the threat, increasing what is already a large target for cybercriminals. Another file type that hasn’t been targeted before is iTunes related. But first, let’s have a look at the initial infection.
This crypto-ransomware variant has been getting distributed from a compromised web site that was redirecting the visitors to the Angler exploit kit by using a Flash clip.
Bromium Labs notified the owner of the web site, but they haven’t responded. At the time of writing this blog, the website was still serving malware. The web site is based on WordPress and could have been compromised by any one of the numerous WP exploits. Additionally, the URL where the malicious Flash file is hosted keeps changing.
Attackers used an unconventional way of redirecting the users. Instead of a typical iframe (or an iframe dynamically generated by JavaScript) they used a Flash clip wrapped in an invisible <div> tag.
This new ransomware program claims to be a variant of CryptoLocker, its creators are likely only reusing that name. The similarity between the new sample and the original CryptoLocker binaries is only around 8 percent, which is negligible.
Many young adults may not have any crucial documents or source code on their machine, but surely most of them have a Steam account with a few games and an iTunes account full of music. Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.
Files are targeted by extension. Concretely these are user profile data, saved games, maps, mods etc. Often it’s not possible to restore this kind of data even after re-installing a game via Steam.
First it enumerates all the logical drives visible to the system. Then it traverses through the folder tree of each drive and encrypts files matching one of the 185 extensions.
AES cipher is used for file encryption and our experiments show the key is randomly generated for each file. Encrypted files are renamed to <filename>.ecc. It should be noted that encryption related code was statically linked and doesn’t seem to match OpenSSL, perhaps some compiler optimizations or other open source library was used. OpenSSL related strings could come with the parts of BitCoin code we found in the binary.
This new specimen falls neatly in the ransomware evolution chain and presented in Bromium crypto-ransomware report. As more file categories are infected, a broader audience is affected. The attackers are also getting better at incorporating BitCoin code directly into their projects.
