{"id":38196,"date":"2020-12-23T05:57:21","date_gmt":"2020-12-23T10:57:21","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=38196"},"modified":"2021-09-17T07:33:39","modified_gmt":"2021-09-17T11:33:39","slug":"cyberpunk-2077-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cyberpunk-2077-ransomware\/38196\/","title":{"rendered":"Malware wrapped in Cyberpunk 2077"},"content":{"rendered":"

No sooner was Cyberpunk 2077<\/em> released for Windows and consoles than we came across a \u201cbeta version for Android\u201d online. It was completely free to download from a site bearing the name cyberpunk2077mobile[.]com. The game\u2019s actual developer has yet to announce any mobile version of the game, so we decided to investigate.<\/p>\n

Cyberpunk 2077 for Android? No, it\u2019s ransomware<\/h2>\n

The website for the alleged mobile version looks nothing like Cyberpunk 2077<\/em>\u2018s official site \u2014 it looks more like Google Play, in fact. Its creators claim the beta version was released on the same day as the official release, and (at the time of this post) had been downloaded about 1,000 times. Some users had even left feedback, saying it wasn\u2019t bad for a beta version.<\/p>\n

\"Shades<\/a>

Shades of Google Play<\/p><\/div>\n

Although the website lists the app\u2019s size at 3.4GB, the file is less than 3MB. Did the developers also create some kind of futuristic compression technology on the side? Not likely.<\/p>\n

Moving along, on its initial run, the fake beta requests access to files on the device. In theory, an app might need some file access to save or open something, but no game needs your photos and videos just to load. Nevertheless, this app will not run without the permission.<\/p>\n

If a user grants that permission, however, they will see a ransom demand, not the game they wanted.<\/p>\n

\"Why<\/a>

Why does a game need access to your files? To encrypt them, of course!<\/p><\/div>\n

The message is in rather garbled English, and it informs the victim that all of their selfies and other important files are now encrypted. To recover them, the cybercriminals demand $500 in bitcoin within 24 hours. (Or 10 hours. The ransom note mentions both periods.) Anyway, the note continues, if the victim doesn\u2019t deliver the money in time, the malware will permanently erase everything.<\/p>\n

According to the note, any attempt to remove the ransomware will be futile and result in the loss of the files.<\/p>\n

Are the encrypted files recoverable?<\/h2>\n

We checked to see what really happens to the files on an infected device. The files are indeed encrypted and assigned the extension .coderCrypt. In addition, the malware places a README.txt file, containing the same ransom message, in each folder.<\/p>\n

\"The<\/a>

The fake Cyberpunk 2077<\/em> for Android does encrypt files \u2014 its creators are honest about that part<\/p><\/div>\n

However, the files are recoverable. That\u2019s because the malware uses the RC4<\/a> symmetric encryption algorithm. The symmetric<\/em> part means the same key both encrypts and decrypts the files. In this case, the key was hard-coded into the app, and in all of the samples that we encountered, it was this: 21983453453435435738912738921.<\/p>\n

Because RC4 is quite common, it is possible to recover the files for yourself, for example, by using an online RC4 decryption service or contacting our user support team. What\u2019s more, at least for the version of the malware we examined, the 10- (or 24-) hour deadline is completely irrelevant. The ransomware won\u2019t delete anything after a time \u2014 its code contains no such function.<\/p>\n

That said, saving a copy of the encrypted files before attempting to restore them is worth your time, just in case the recovery utility fails.<\/p>\n\n

Cyberpunk 2077 ransomware: Windows version<\/h2>\n

Regrettably, files encrypted by ransomware are not always easy to recover. For example, the authors of the fake beta Cyberpunk 2077<\/em> for Android are also distributing ransomware for Windows<\/a> disguised as the same game. In that case, however, the key is not hard-coded into the app, but randomly generated for each infection case, so victims have no easy way to decrypt affected files.<\/p>\n

\"The<\/a>

The ransom note for Windows users demands $1,000 in bitcoin for decryption<\/p><\/div>\n

Should you pay up?<\/h2>\n

At the time of this writing, more than $8,000<\/a> in bitcoin had been transferred to the cybercriminals\u2019 wallet. Meanwhile, file recovery is in no way guaranteed<\/a>. The ransomware creators might simply disappear with the money or, finding victims willing to pay, demand more. Therefore, we strongly advise against paying the ransom.<\/p>\n

Kaspersky experts help ransomware victims by studying malicious code and inventing ways to decrypt files \u2014 in other words, we write free decryptors. You can find many of them on the NoMoreRansom<\/a> website, created specially to counter such attacks, or on our support website<\/a>. If you do get hit by ransomware, make those resources your first port of call. Even if no decryptor exists for your particular problem yet, it is possible, even likely, that one will appear in due course with a corresponding utility.<\/p>\n

How to stay safe from ransomware<\/h2>\n

The best tip, obviously, is to avoid ransomware in the first place \u2014 even ransomware temptingly disguised as a popular game. To protect yourself, observing basic digital hygiene may suffice.<\/p>\n