It appears that this summer’s creature-catching craze has caught something of its own: ransomware.
Any type of digital, cultural phenomenon like Pokémon Go is likely to be exploited by malware writers, so it’s no surprise that Pokémon Go is now a transmitter of the malicious code.
Fun vs. fear
Just last week we learned of Hitler ransomware, which, as I noted, leverages fear by using an offensive image as a way to drive irrational behaviour.
Pokémon Go appears to tap into the opposite emotion—fun—by riding the wave of this cultural juggernaut. Just as someone might panic to pay a ransom due to fear, someone might download a file without thought due to the overwhelming desire for fun.
Supply and demand
There are a few interesting economic considerations with this ransomware:
First off, as noted in the analysis by Bleeping Computer, this ransomware targets Windows computers, and apparently Arabic speakers, too, based on the image in the infected splash screen.
According to a recent CNET article, Pokémon Go isn’t even available in the Middle East yet, so any hype that is building in the media (and there is a lot) only accelerates that interest for countries that do not yet have the game.
Secondly, Pokémon Go is a mobile game, so the developers of this ransomware would need to con someone who doesn’t have a basic understanding of the game to download the application to their Windows computer on the assumption that they could get the game that way.
Considering that Pokémon Go started in the United States and has been rolling out primarily to Western countries first, it is easy to see how truth could be lost in translation, only to be exploited by unsuspecting victims.
Forbidden fun
Another interesting note is the fatwa against Pokémon games that was issued years ago by Saudi Arabia clerics and recently renewed due to issues around certain images and concepts including that of evolving the creatures.
Nothing drums up more interest than that which has been banned. Again, this is perhaps another emotion-based tactic used to lure unsuspecting victims into being exploited.
Ransomware’s future plans
Other interesting notes about this ransomware are the inclusions of a backdoor account called Hack3r which is created and hidden from users. There is no apparent use for the account except for perhaps as a seed for future devious use.
Also, there is the creation of a network share with no apparent use except as a potential delivery vehicle.
In addition to the network share, there is also an attempt to write to any removable media with and autorun entry that would attempt to launch the ransomware when loaded by other computers.
Finally, the executable is written to a drive other than C: with an autorun when the user logs into Windows. None of these techniques are new, but it appears that the authors were looking to develop something pervasive and easy to spread.
It appears that the ransomware is in development based on an incomplete encryption approach that uses a fixed key of 123vivalalgerie.
Also, the incomplete propagation techniques mentioned earlier indicate that this ransomware was caught early. Kudos to Michael Gillespie (@demonslay335) who caught this sample in the wild before it has evolved into something nastier.
Key takeaways
If there is one thing to learn with this latest ransomware discovery, it’s that malware writers leverage trending events and interests to drive the spread of their scams.
Ransomware hits at our digital hearts (our data) and therefore emotions are key to spreading and monetising their work.
As always, beware of things that are too good to be true and take good precautions such as those listed in our article Everything You Need to Know to Prevent Ransomware.
Now back to capturing the local gym!
