It"s no longer deniable that Pokémon GO is the new craze in mobile gaming today; letting users become "trainers," and catch pocket monsters in the real world. With the hype spreading worldwide, a cybercriminal has taken advantage of the moment to develop a ransomware named after the popular game.
A new Hidden-Tear ransomware has been discovered by malware researcher Michael Gillespie, which masks itself as a Pokémon GO app for Windows, targeting Arabic victims. Once a computer has been infected, it will encrypt all files with the following extensions:
.txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png
It will use an AES encryption to lock up the files, then append a ".locked" file extension to the documents affected. As soon as the encryption process is done, it will display a ransom note under a هام جدا".txt" file, asking the victim to send an email to "me.blackhat20152015@mt2015.com" in order to get decryption instructions. The ransom note states (translated from Arabic):
( : Your files have been encrypted , decoding Falaksa Mobilis following address me.blackhat20152015@mt2015.com and thank you in advance for your generosity
While it seems to behave like a normal ransomware that simply encrypts and asks for payment, the Pokémon GO ransomware has more up its sleeve. It also creates a backdoor administrator Windows account, under the name "Hack3r," so the malware operator can gain access to the victim"s computer themselves. It even makes the account hidden to the victim using a registry edit.
The Pokémon GO ransomware in addition will attempt to spread to other computers by copying the ransomware executable to all removable drives. An autorun.inf file will also be generated by the malware, to make sure that the ransomware will activate every time that a drive is plugged in to a computer. Lastly, it will make a copy of the ransomware to other fixed drives on the computer, and sets another autorun file to start it whenever the computer is booted.
Despite these capabilities, the ransomware is still reportedly in development. For one, the malware uses a static AES key of "123vivalalgerie," and its server uses an IP address that is meant for private use, making it impossible to reach via the internet.
While this crypto-malware might still be in its testing process, we advise our readers to be careful about where they go on the internet, as well as what they are downloading, to be able to avoid contracting such nasty malware in the future.
Source: Michael Gillespie via Bleeping Computer | Images via Bleeping Computer