Independent researcher Michael Gillespie discovered a unique ransomware variant posing as a Pokémon Go application for Windows.
The Pokemon themed ransomware targets Arabic speaking users and possibly originated in Algeria, according to Bleeping Computer.
In addition to locking up a victim's files and leaving behind a Pikachu themed ransom note, The Hidden Tear open source based ransomware also adds a backdoor Windows account, spreads itself to other drives, and creates a network share.
Once installed, the ransomware creates a user account and adds it to the Administrators group before hiding the account from sight by configuring a Windows registry key. The malware also creates a shared network on the victim's computer, although its purpose is unclear as the function currently isn't being used by the program.
The ransomware scans the victim's drive for files with specific extensions and adds the .locked append extension to the encrypted files.
The malware is believed to still be in its developmental phase because it uses a static AES key and because the hard coded C2 server uses an IP address that is assigned only for private use, meaning there is no way to connect the IP address over the internet, the blog said.
It's assumed that the developer of the ransomware will enable the malware to generate random encryption keys and enable the IP address to connect over the web when the ransomware is finally released, the blog said.
Pokemon Go players should be weary of catching malware in their quest to catch them all, Tripwire Senior Security Researcher Travis Smith told SCMagazine.com via email comments.
“While the malware is not fully production code, it highlights the intent of some malware creators to capitalize on the Pokemon Go craze,” he said. “Users looking for Pokemon should be wary of any third party applications or services looking to assist your search.”
Smith said that the ransomware creating new user accounts is a new development and that its unclear if the intent is to maintain persistence or be an indicator to avoid multiple infections of the same box.
“Either way, it's clear the ransomware is looking to spread itself to network shares and removable drives to both spread infection and potentially cripple backups; the primary recovery method for ransomware,” he said.
