This weird ransomware can only be decrypted by going to the Roblox store


If you thought ransomware forcing people to do good deeds was bizarre – wait until you hear about WannaFriendMe. To get the decryptor for this newly discovered ransomware strain, victims need to buy a game pass on the Roblox Game Pass store.

Roblox is a gaming platform where users get to build and play games. Game builders can monetize their creations by requiring game passes before playing. These passes can be bought with the platform’s native currency, Robux.

In the ransom note sent to the victims, it says they need to buy a specific game pass, costing 1700 Robux, or roughly $20. After acquiring the game pass, they need to contact a specific email address with their username, and a screenshot to prove the purchase. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Chaos? Or Ryuk?

The attackers are warning the victims not to delete the game pass as that will render the process invalid.

If you thought $20 was pocket change compared to other malware operators whose demands reach tens of thousands of dollars, do keep in mind that the targets for this campaign are mostly gamers. 

Another interesting point is that the threat actors are using Chaos ransomware, which tries to pass itself off as Ryuk. In mid-2021, someone started selling a Chaos ransomware builder, allowing pretty much anyone with a few extra dollars to spare, to build their own ransomware strain. 

The main difference between Chaos and Ryuk, is the fact that the former is known for overwriting large files with gibberish. 

In other words, once encrypted, any files larger than 2MB in size can never be retrieved. This is a known fact for Chaos, and might put off some people that considered paying the ransom demand. 

The researchers that discovered the campaign, MalwareHunterTeam, said that the Chaos ransomware builder pretends to be Ryuk by default, by using the .ryuk extension for all of the encrypted files. 

Via: BleepingComputer



Source link