Pay to play again: a cryptolocker variant goes after the gamers

March 18, 2015

A cryptolocker variant is coming after online gamers, and there is more to this story than meets the eye. Looks like cybercriminals found a great way to get to the people who are all too willing to pay to get their data back.

What lurks in the shadows. Bethesda TES V: Skyrim game screenshot” width=”1024″ height=”576″ /> What lurks in the shadows. Bethesda TES V: Skyrim game screenshot

A long slither

According to the researchers who have discovered the new malware, it uses a pretty sophisticated infection route. The entry point is a certain compromised website that is redirecting the users via a malicious Flash clip to another site hosting the Angler exploit kit, which, in turn, drops the Cryptolocker variant.

The first site in question is based in WordPress and possibly could have been previously compromised by any kind of WP exploit, which are pretty common. WordPress is a free CMS with modular design, popular among both individual users and enterprises. Not all of its plugins are secure, however, and given its popularity, hackers compromise WordPress-based sites quite often.

Then the Angler kit: Apparently, the attackers preferred ready to use, off-the-shelf tools to make sure they will succeed. Angler is also notorious for its evasiveness – it looks like the criminals didn’t take chances… or just weren’t technically advanced?

Actually, they seem to know their trade well enough to use non-conventional methods of evasion: attackers forego typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection, Threatpost reports. The malware further proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311 or an Internet Explorer exploit CVE-2013-2551.

They will pay

The cryptolocker itself is rather typical in behavior: it encrypts the files then displays  banners demanding ransom – in Bitcoin via Tor. Again, the attackers take no chances.

The interesting point here is the list of the targeted files: there are file extensions associated with more than 50 online and single-player games of AAA-class distributed via online content delivery systems. Call of Duty, Minecraft, Half-Life 2, Elder Scrolls series (Oblivion, Skyrim, Elder Scrolls Online), Assassin’s Creed, World of Warcraft, Day Z and a number of other games are among the targeted, along with Valve’s Steam gaming platform.

A bank in the World of Warcraft online game. Money matters…

Cryptolocker encrypts both main files, DLC content, and some hard or even impossible to recover files such as mods, savegames, user profiles, etc. Something that hardcore gamers would cherish, and they would probably be willing to pay even more than other victims.

Where money lie

The gaming industry habituated the players to pay not only for subscriptions, but extra downloadable content and premium in-game items that help them achieve progress faster. The latter is a somewhat newer trend – but it clearly shows that the players perceive these items to have real-world value, convertible to real cash.

And that is what attackers are after. Apparently, the “gaming cryptolocker” variant’s authors calculated well where they wanted to direct their hit: for the hardcore gamers their gaming content matters, especially if is hard to recover. Thus the possibility of payment appears to be above average.

But it shouldn’t be. Every bitcoin coming to the criminals make them not only richer, but bolder, since they see the return on their efforts and a good reason to continue.

The gamers are advised to keep their non-gaming software, especially the more problematic ones such as Flash, Java, Microsoft Word and Office, etc., up-to-date, and, of course, use a high-quality anti-malware solution and backup their unique gaming data on external drives, not used when surfing the Web.