{"id":3715,"date":"2015-03-18T17:57:56","date_gmt":"2015-03-18T17:57:56","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3715"},"modified":"2019-11-15T07:06:22","modified_gmt":"2019-11-15T12:06:22","slug":"pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers\/3715\/","title":{"rendered":"Pay to play again: a cryptolocker variant goes after the gamers"},"content":{"rendered":"

A cryptolocker variant is coming after online gamers, and there is more to this story than meets the eye. Looks like cybercriminals found a great way to get to the people who are all too willing to pay to get their data back.<\/p>\n What lurks in the shadows. Bethesda TES V: Skyrim game screenshot\u201d width=\u201d1024\u2033 height=\u201d576\u2033 \/> What lurks in the shadows. Bethesda TES V: Skyrim game screenshot\n

A long slither<\/strong><\/p>\n

According to the researchers who have discovered the new malware, it uses a pretty sophisticated infection route. <\/a>The entry point is a certain compromised website that is redirecting the users via a malicious Flash clip to another site hosting the Angler exploit kit, which, in turn, drops the Cryptolocker variant.<\/p>\n

Pay to play again: a cryptolocker variant goes after the gamers #cryptolocker<\/p>Tweet<\/a><\/blockquote>\n

The first site in question is based in WordPress and possibly could have been previously compromised by any kind of WP exploit, which are pretty common. WordPress is a free CMS with modular design, popular among both individual users and enterprises. Not all of its plugins are secure, however, and given its popularity, hackers compromise WordPress-based sites quite often.<\/p>\n

Then the Angler kit: Apparently, the attackers preferred ready to use, off-the-shelf tools to make sure they will succeed. Angler is also notorious for its evasiveness \u2013 it looks like the criminals didn\u2019t take chances\u2026 or just weren\u2019t technically advanced?<\/p>\n

Actually, they seem to know their trade well enough to use non-conventional methods of evasion: attackers forego typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection, Threatpost reports. The malware further proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311<\/a> or an Internet Explorer exploit CVE-2013-2551<\/a>.<\/p>\n

They will pay<\/strong><\/p>\n

The cryptolocker itself is rather typical in behavior: it encrypts the files then displays \u00a0banners demanding ransom \u2013 in Bitcoin via Tor. Again, the attackers take no chances.<\/p>\n

The interesting point here is the list of the targeted files: there are file extensions associated with more than 50 online and single-player games of AAA-class distributed via online content delivery systems. Call of Duty, Minecraft, Half-Life 2, Elder Scrolls series (Oblivion, Skyrim, Elder Scrolls Online), Assassin\u2019s Creed, World of Warcraft, Day Z and a number of other games are among the targeted, along with Valve\u2019s Steam gaming platform.<\/p>\n

\"\"<\/a>

A bank in the World of Warcraft online game. Money matters\u2026<\/p><\/div>\n

Cryptolocker encrypts both main files, DLC content, and some hard or even impossible to recover files such as mods, savegames, user profiles, etc. Something that hardcore gamers would cherish, and they would\u00a0probably be willing to pay even more than other victims.<\/p>\n

Where money lie<\/strong><\/p>\n

The gaming industry habituated the players to pay not only for subscriptions, but extra downloadable content and\u00a0premium in-game items that help them achieve progress faster. The latter is a somewhat newer trend \u2013 but it clearly shows that the players perceive these items to have real-world value, convertible to real cash.<\/p>\n

And that is what attackers are after. Apparently, the \u201cgaming cryptolocker\u201d variant\u2019s authors calculated well where they wanted to direct their hit: for the hardcore gamers their gaming content matters, especially if is hard to recover. Thus the possibility of payment appears to be above average.<\/p>\n

New \u201cgaming\u201d #cryptolocker authors knew where\u00a0to direct their attacks.<\/p>Tweet<\/a><\/blockquote>\n

But it shouldn\u2019t be. Every bitcoin coming to the criminals make them not only richer, but bolder, since they see the return on their efforts and a good reason to continue.<\/p>\n

The gamers are advised to keep their non-gaming software, especially the more problematic ones such as Flash, Java, Microsoft Word and Office, etc., up-to-date, and, of course, use a high-quality anti-malware solution and backup their unique gaming data on\u00a0external drives, not used when surfing the Web.<\/p>\n","protected":false},"excerpt":{"rendered":"

A cryptolocker variant is coming after online gamers, and there is more to this story than meets the eye. Looks like cybercriminals found a great way to get to the<\/p>\n","protected":false},"author":209,"featured_media":15728,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[648,378],"class_list":{"0":"post-3715","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cryptolocker","10":"tag-gaming-industry"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers\/3715\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers\/3715\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers\/3715\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cryptolocker\/","name":"cryptolocker"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3715"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3715\/revisions"}],"predecessor-version":[{"id":30542,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3715\/revisions\/30542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15728"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}