HQ/EMEAFind out how we can help your business
A new ransomware operation currently targets Russian Enlisted gamers. Enlisted is a multiplayer first-person shooter. The threat actors impersonate the game and use fake websites to propagate a phoney version of Enlisted.
The threat actors exploited the fact that the game is free. They downloaded the installer from the publisher and modified its code to spread malicious payloads to unsuspecting players.
The actors bundled the game with ab alleged version of WannaCry ransomware, which also used the [.]wncry file extension for the encrypted files.
The Enlisted gamers could get infected by the WannaCry ransomware.
According to investigations, the new WannaCry ransomware variant that targets Enlisted gamers is based on an open-source Python locker. After launch, the installer downloaded by the users from the fake website drops two executable files on their disks.
The ransomware then generates a mutex upon initialisation to bypass running instances on the compromised device. Subsequently, the operation parses its JSON configuration archive, identifying the targeted file types, which directories should be overlooked, what ransom note to develop, which wallet address to receive the ransom, and other attack processes.
The Crypter ransomware then reviews the working directory for a key[.]text file to utilise in the encryption process. If the ransomware does not find any, it will generate one. Furthermore, the encryption process leverages the AES-256 algorithm, and the attack process will append the [.]wncry file extension to all locked files.
However, the campaign follows a common tactic for ransomware attacks: removing the shadow copies from Windows to prevent data restoration. The ransomware drops the ransom note on a GUI application after the encryption process finishes. The ransom note will give the victim three days to comply with the attackers’ demands.
Furthermore, these miscreants alter their victims’ background image to ensure that their target will know that they are compromised. Lastly, these attackers do not employ a Tor site or provide a private chat link to the victims, but they utilise a Telegram bot to communicate with its targets.
Cybersecurity experts warn gamers, especially Enlisted players, to refrain from downloading games from untrusted sources since most threat actors offer fake games to spread their malicious tools.
