TeslaCrypt is Ransomware Targeting Gamers
Ransomware is a pretty powerful and concerning thing. It's affected entire Australian news stations, to the point that they had to go off of the air. But now some clever bad people are looking to target gamers specifically with a variant of Cryptolocker, called TeslaCrypt that looks for and encrypts games.
TeslaCrypt now targets gamers by searching for and encrypting game files and folders.
This little piece of malware really brings a new meaning to paying for downloadable content, specifically your own now encrypted games. It's being distributed by a website that hosts a flash clip with an imbedded div tag.
TeslaCrypt itself takes advantage of some previously known flash exploits, specifically CVE-2015-0311 and CVE-2013-2551, which is an Internet Explorer exploit. The malware is hosted on websites that are running WordPress, likely put there through the the use of the numerous WordPress plugin exploits that exists. The funny thing is that the URL itself keeps changing, so it seems to be hosted on an unknown number of websites.
The flash file based malware is a little smarter than you'd think, it checks for virtual machines and a a number of anti-virus programs before it begins dropping its payload of TeslaCrypt.
When it is installed on your machine, it looks for 50 different file extensions that are normally associated with video games, also looking for the typical office documents in which to lock you out of. It specifically looks for a number of games in which to make you cry. A great deal of games are affected, which are listed below. When everything has been encrypted, with different AES keys of an unknown key length of each file, it sends information to its command and control server through the use of TOR to obfuscate its actual location.
- Single Player Games
- Call of Duty
- Star Craft 2
- Fallout 3
- Half-Life 2
- Dragon Age: Origins
- The Elder Scrolls and specifically Skyrim related files
- Star Wars: The Knights Of The Old Republic
- WarCraft 3
- Saint Rows 2
- Metro 2033
- Assassin’s Creed
- Resident Evil 4
- Bioshock 2
- Online Games
- World of Warcraft
- Day Z
- League of Legends
- World of Tanks
- Company Specific Files
- Various EA Sports games
- Various Valve games
- Various Bethesda games
- Gaming Software
- Game Development Software
- RPG Maker
- Unreal Engine
Vadim Kotov from Bromium labs was the one who found this version of ransomware. He was surprised that it had evolved to the point that it targets a specific computer using demographic.
“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,”
Now ransomware is looking for games and is being targeted at gamers themselves. This is certainly bad news for us all, though not necessarily for those that don't go about on fishy websites or clicking links that look just a bit too suspicious. No details regarding the website to avoid were given, for good reason, but just be aware that some WordPress based websites are hosting Flash ads or clips that can very well provide the aforementioned TeslaCrypt.
As always, browse smart and safe!