Beware of ransomeware with Pokémon Go
With all the frenzy around Pokémon Go, it was only just a matter of time before attackers leveraged its popularity to spread ransomware, a type of computer malware that prevents or limits users from accessing their system. But unfortunately, a new ransomware was recently discovered impersonating a Pokémon Go app for Windows.
Detected by Trend Micro as Ransom_ Pogotear.A, it appears to be like any other ransomware. However, a closer look revealed that its creators based it on Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people.
The Pokémon Go ransomware developer designed it to create a “Hack3r” backdoor user account in Windows and is added to the administrator group. The registry is tweaked to hide the Hack3r account from the Windows login screen. Another feature creates a network share on the victim’s computer, allowing the ransomware to spread by copying the executable to all drives. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokémon Go ransomware will run when the victim logs into Windows.
Based on the language used by the ransom note, the Pokémon Go ransomware appears to target Arabic-speaking users, with an accompanying ransom screen that features a Pikachu image. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which is French for “untitled”, suggesting a clue to the developer’s origin.
The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as Ransom_Cryptear.B. According to the analysis, the website was compromised by a Brazilian hacker and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware. Unfortunately, as expected, the following discovery of Ransom_CrypteaR.B and this current Pokémon Go- themed ransomware has shown that even with the best intentions, improper disclosure of sensitive information can lead to troublesome scenarios such as the mentioned discoveries.
To avoid ransomware, users are encouraged to regularly back up files and to have an up-to-date security solution. As the game is introduced in new regions, the Pokémon Go craze is expected to continue to gain momentum and cybercriminals will find ways to capitalise on it. In fact, in July, malicious Pokémon Go apps were found tricking users into downloading them. This should remind users to remain vigilant of threats that may ride along the popularity of such games.