Threat Management, Malware, Ransomware

Decryption tool created for ransomware designed to boost PewDiePie subscriptions

A PewDiePie fan has taken his admiration of the popular video game commentator a little too far, creating a ransomware designed to increase the YouTube star's subscriber count.

Fortunately, anti-malware company Emsisoft last week announced a new a decryption tool that restores machines infected by the unusual malware, named "PewCrypt."

On its website, Emsisoft describes PewCrypt as a Java-based ransomware that AES and RSA to encrypt files, while adding the extension ".PewCrypt". The creator's ransom note asks the victim to subscribe to PewDiePie and warns that the malware creator will not issue a decrypter tool unless and until PewDiePie reaches 100 million subscribers.

"Were that not to happen, people would have no means of decrypting their data," said Emsisoft researcher Michael Gillespie in an email interview with SC Media.

The ransom note also claims that if T-Series beats PewDiePie in total subscribers, "the private key will be deleted and you [sic] files gone forever [sic]". T-Series is a record company that produces Bollywood music soundtracks and Indi-pop music, and has regularly been in competition with PewDiePie over who has the number-one YouTube channel.

Ultimately, PewCrypt's creator went back on his threat and released his own version of a decrypter. But he also open-sourced the malware itself, allowing other actors to potentially adopt and modify PewCrypt to use it in the wild. Using two different variations of the username "JustMe," the ransomware developer posted his work on both Twitter and GitHub.

According to Gillespie, the decrypter tool "JustMe" provided "was a command-line based decrypter that is not very user friendly. Also, the user would have to trust the person who initially infected them to not further infect them with more malware."

Instead, victims can now use Emsisoft's decryption tool, which was created by extracting and converting the private key to make a GUI decryptor, a company spokesperson explained. The spokesperson said that Emsisoft is not aware of a "huge number" of PewCrypt victims, "but there are definitely cases out there."

In an unrelated development, BleepingComputer reported today that Emsisoft released another decryptor for Hacked Ransomware, aka HKCrypt. Discovered by BleepingComputer creator Lawrence Abrams discovered back in 2017, the ransomware displays a fake Windows Update while encrypting victims' files with the RC4 algorithm and appending the extension ".hacked" to their names.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.