Fortnite Ransomware Hidden in Game Hack
A ransomware that called Syrk is ttargeting Fortnite's 250 million user base, disguising itself as a game hack. Syrk promises players a bot for aiming more accurately while playing, and a hack to discover other player's locations in the game. What it really does is that it locks up the machines and demands a ransom. If left unpaid, Syrk will delete batches of files every two hours. Syrk ransomware is really the Hidden-Cry ransomware that's with a .Syrk extension.
The source code for Hidden-Cry is readily available on Github. The repackaged malware could begin cropping up in many different places. Syrk could be distributed by an upload to a sharing site and the link posted in Fortnite users in forums.
Once the malware is executed, it connects to a command-and-control server and disables Windows Defender and UAC through the registry. It then encrypts a range of file types: including *.gif, *.sln, *.docx, *.php, *.psd, *.ico, *.mov, *.xlsx, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.pptx, *.ppt, *.txt, *.png, *.bmp, *.rar, *.zip, *.mp3, *.mp4 and *.avi. It gives the encrypted files the .syrk extension. It also monitors for Taskmgr, Procmon64 and ProcessHacker, which could interrupt its processes. The next step is it will set a timed procedure to try and delete the encrypted files in directories. It will start deleting the files every two hours in the following order: %userprofile%Pictures; %userprofile%Desktop; and %userprofile%Documents. It also employs LimeUSB_Csharp.exe to infect USB drives if they exist.
Combining game malware with ransomware was inevitable. Social engineering through online video games has been going on for some time. It has a large audience to target and an industry that is known to look for shortcuts. Malware disguised as a hack tool is novel as it will not be validated by any app store and bypasses the normal security controls. This makes encrypting files using a game hack highly opportunistic and easy to execute. The ransomware actually punished the cheater.
,br>
The good news is that Cyren researchers found that it's possible to decrypt files, and recover those that were deleted. The file, dh35s3h8d69s3b1k.exe is the Hidden-Cry decrypting tool, and can be found as one of the resources embedded in the malware. Since the key used is already known, it can be used to create a PowerShell script based on the shared source of the Hidden-Cry decrypter. To do this, we need to extract the embedded file, dh35s3h8d69s3b1k.exe, and execute the file in the infected machine. It will drop the necessary PowerShell script needed to decrypt the files. One main feature of Hidden-Cry ransomware is that it creates sense of urgency by deleting files every two hours. It is possible for victims to recover deleted files, given the simple method used to delete the files.
Fortnite has become a global, it has over 250 million players worldwide. To give an example of it's popularity, the Fortnite World Cup offered a $30 million prize pool. Hackers are always interested in the gaming world, and especially those with large user bases. Gamers are attractive for this kind of attack since they most likely have computers with powerful graphics cards, which are heavily sought after for cryptocurrency mining. The more attention a game gets because of a new release or update, the more likely it is that a hacker will be able to successfully distribute malware. For example, MonsterInstall have been spread on websites which claim to offer hacks and cheats for games like CS GO, Minecraft and FIFA.