A new piece of ransomware that (mis)uses the Cryptolocker “brand” has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software.
But not all video games, and not the most popular ones. It targets files associated with single users games Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin’s Creed, S.T.A.L.K.E.R., Resident Evil 4, Bioshock 2; and online games World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2.
It encrypts company specific files for various EA Sports, Valve and Bethesda games, files associated with the Steam gaming platform, and those of game development software such as RPG Maker, Unity3D, and Unreal Engine.
The ransomware, dubbed “TeslaCrypt,” also encrypts iTunes-related files, which is also a first. All in all, this variant targets 185 file extensions.
“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches,” noted Vadim Kotov, Senior Security Researcher at Bromium. “Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music. Even professional adults may be frustrated by these attacks if they lose their games along with the rest of their personal data.”
The malware itself might look like Cryptolocker at first – it uses a similar visual identity – but when their code is compared, less then ten percent is the same.
It is currently being distributed via a compromised WordPress site that redirects users to a page hosting the Angler exploit kit.
“Bromium analysis determined this instance of Angler checks for the presence of several virtual machine artefacts, Fiddler and some of the anti-virus products using Microsoft.XMLDOM and the res:// protocol,” Kotov shared. If the target system runs none of them, the kit will run exploits for the CVE-2015-0311 Flash and CVE-2013-2551 IE flaws.
“The payment procedure is operated through a website located in the TOR domain,” notes Kotov. “Each instance of the ransomware has its own BTC address.”
The files are encrypted by using the AES cipher, and encrypted files gain the .ecc extension. It’s still unknown how the main encryption key pair is created. Also, the ransomware creates a key.dat file that has yet to be successfully analyzed, and perhaps could be used to decrypt the data.