While Pokemon Go, the hugely popular augmented reality game, is officially only available for mobile devices, there are ways to play it on PC (we have a guide for it here). But going down the unofficial route does come with its own risks. If you download the game from a dubious source, you may potentially fall prey to nefarious software created by cybercriminals. One example is a new ransomware that impersonates a Pokemon GO application for Windows. Here’s what you need to know.
Spotted by security researcher Michael Gillespie earlier this month, it is based on the Hidden Tear ransomware and is currently targeting Arabic-speaking users. But it’s worth noting that the ransomware is still in development and has the potential to spread and affect other demographics.[related title=”More Stories on Ransomware” tag=”ransomware” items=”3″]
According to security vendor Trend Micro: “There are numerous indicators that the ransomware is still under development. One of them is that it has a static AES encryption key of ‘123vivalalgerie’. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet.”
Malwarebytes Labs has done a deep analysis of this Pokemon Go ransomware and has detailed the way it infects a user’s PC. Crucially, it creates a backdoor user account in Windows:
” Upon execution PokemonGo creates the following files:
C:\Users\current user\Desktop\pk (password)
C:\Users\current user\Desktop\هام جدا.txt (Ransom note)
C:\Users\current user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6002.exe (random but 6002.exe for this instance. This resource file is extracted from the main executable, it is saved to the user Startup folder and launched upon restart, contains Pokemon and Arabic note screensaver).
… PokemonGo comes with a backdoor functionality, in which it uses the addUser function to add a user to the administrators group under the user name “Hack3r”. PokemonGo also makes this new user a ‘hidden’ user via the Windows registry ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ (value set to ‘0’), which is used to hide the newly added “Hack3r” account on the welcome/login screen.”
Malwarebytes noted that the ransomware does have a few clever tricks up its sleeves:
“We already mentioned one of the clever tricks PokemonGo has of creating the hidden user “Hack3r” but it also has some more new tricks. Earlier this year we saw zCrypt ransomware identifying and copying itself to connected removable drives and attempting to use an Autorun.inf file to populate and infect new victims. Using this method of populating and infecting new victims, via the Populate function, PokemonGo would be able to locate connected removable drives and drop both a copy of itself as well as an Autorun.inf file. The purpose of dropping the autorun file is so the malware can be executed by the AutoRun and AutoPlay components of Microsoft Windows, which in turn means that the malware can be launched from a USB or CD upon being inserted into a new target system. (although noted in the Populate function this was not seen during analysis).”
You can find read through the analysis here.
As always, we’d recommend regularly backing up your data so that even if you do get hit by ransomware, at least you won’t lose all of your precious files. Also, steer clear of suspicious websites when you’re downloading files on the internet. Just exercise common sense.