Open-source ransomware variant
An open-source ransomware variant (detected by Trend Micro as RANSOM.MSIL.SYRK.A) is being used to target players of Fortnite, an online video game with 250 million gamers as of March 2019. In research by Maharlito Aquino and Kervin Alintanahin of Cyren, the ransomware was found pretending to be a cheat tool that improves the accuracy of a player’s aim (aimbot) and provides visibility over other players’ location on the map. If a player downloads and executes the file, images, videos, music, and documents stored on the victim’s computer will be encrypted by a ransomware variant that calls itself “Syrk.”
How the ransomware works
Researchers discovered that the open-source ransomware is actually based on the source code of the Hidden-Cry ransomware, which was made available on Github at the end of 2018. If gamers download the 12MB executable file named SydneyFortniteHacks.exe, their files will be encrypted and appended with the .syrk file extension.
Upon infection, the ransom note will demand payment from victims in exchange for a decryption password. The note also warns that their photo folder, followed by the desktop files, will be deleted if payment isn’t made within two hours.
Surprisingly, the researchers also discovered that the encrypted files can be saved using decryption tools that can also be found in the victim machine. One of the resources embedded in the main malware is dh35s3h8d69s3b1k.exe, which is actually a Hidden-Cry decrypting tool. Because the key used is already known, it can be used to create a PowerShell script based on the Hidden-Cry decryptor’s shared source.
An attractive cybercriminal target, the community of Fortnite gamers must remain vigilant against schemes that may seem too good to be true. Since malware authors continue to deploy new evasion tactics and experiment with new distribution methods, users and businesses must stay on their guard. To better defend against ransomware variants such as Syrk, they can adopt the following best practices:
- Regularly back up files and ensure the integrity of these backups.
- Software, programs, and applications must be updated regularly to protect against the latest vulnerabilities.
- The principle of least privilege must be enforced to reduce the attack surface. This can be done via securing the use of system administration tools and restricting and assigning only the necessary privileges to user accounts.