Saturday, April 13, 2024
HomeSECURITYWannaCry is back! Or not? Ransomware embedded in Russian video...

WannaCry is back! Or not? Ransomware embedded in Russian video game installer

-


WannaCry is back! Or not? Ransomware embedded in Russian video game installer

Experts believe that Enlisted is only the first game in a series of attacks, and attackers may soon target other popular projects in the Russian Federation.

According to the researchers Cyble in his recent report a ransomware suspiciously similar to the legendary WannaCry, is actively used in a malicious campaign aimed at Russian players of a multiplayer first-person shooter “Enlisted”.

Enlisted is a massively multiplayer online first-person shooter reenacting the battles of World War II. Game developed Darkflow Softwarebut published Gaijin Entertainment. No matter how difficult it is to guess, in its pure form the game does not pose a threat, it is completely legitimate software. However, hackers still figured out how to get users.

Since the game is free, attackers can easily download its installer and modify it, then using fake sites that imitate the official download resource. There, hackers can easily distribute an infected copy of the installer to unsuspecting users.


Fake Website Enlisted

The ransomware bundled with the modified game installer pretends to be the third version of the infamous WannaCry. The program even uses the “.wncry” extension for encrypted files.

According to the Cyble researchers who analyzed the strain, this new variant of supposedly WannaCry is based on Pythonan open source locker called “Crypter”. That is, it has nothing to do with the original WannaCry except for the interface and name.

It should be noted that this is not the first time someone has tried to imitate WannaCry. Likely to exploit the high profile of the virus, thereby intimidating the victims and ensuring that the ransom is paid quickly.

The installer downloaded from the fake Enlisted website is named “enlisted_beta-v1.0.3.115.exe”. When run, it dumps two executables to the user’s disk, namely “ENLIST~1” (the actual game) and “enlisted” (Python ransomware launcher).

Once launched, the ransomware parses its JSON configuration file, which determines which file types to target, which directories to skip, which ransom note to generate, which wallet address to send the ransom, and other attack parameters.

The encryption algorithm is used AES-256, and all locked files get the “.wncry” filename extension. Interestingly, the ransomware does not attempt to kill processes or stop services that might interfere with encryption, although this is standard practice in modern ransomware. However, the malware follows the normal strategy of deleting Windows backups to prevent easy data recovery.

Once the encryption process is complete, the ransomware displays a ransom note in a dedicated GUI application, giving the victim three days to respond to the demands.



A malware interface imitating WannaCry

The attackers also change the background image of the victim to ensure that their message is 100% transmitted, even if the launch of the ransom notice is blocked by antivirus software.



Black wallpaper with message from ransomware

The attackers do not use the Tor site to communicate with victims and do not provide a link to a secure encrypted chat, using a simple Telegram bot instead.

It is possible that other games popular among Russian-speaking users may later come under attack from cybercriminals. Therefore, it is necessary to exercise increased vigilance and use only official sources for downloading.

And if you doubt the originality of the site, most projects, especially games, have social media accounts. Therefore, you can always go there and double-check the current download resources.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular