Since its release, Pokémon Go has consistently peaked at millions of users all over the world. With its popularity has come a number of innovations, including a HoloLens adaptation. However, there are some looking to use the game in less positive ways.
— Michael Gillespie (@demonslay335) August 12, 2016
Malware researcher Micheal Gillespie has discovered a new Hidden-Tear ransomware that poses as a Windows Pokémon Go app. The main targets are Arabic users, locking their files until they pay a fee.
How It Works
The Pokémon Go ransomware scans the victims drive for commonly important files such as .doc, .pdf, .html and images, and uses AES encryption to deny access. Once it has finished it will display a note telling the user to contact [email protected] for payment instructions.
An inspection reveals that the ransomware contains many features that go further than regular ransomware variants. One of these is a backdoor Windows account.
Named Hack3r, the new user allows the developer access to the victim’s computer at a later date, hiding itself through a change in registry keys. What makes the ransomware even more dangerous, however, is its ability to spread.
A network share is created on the victim’s computer, allowing it pass between computers. This is blocked by most firewalls, but the ransomware also has another way of infecting others. It copies itself to all removable drives, automatically running the fake Pokemon Go program when it gets plugged in.
Still in Development
A number of clues suggest that the developer plans to improve the ransomware further. It currently uses a static AES of 123vivalalgerie. This means that it can be easily circumvented, and it’s assumed that the developer will later create a random key and upload it to a server.
The current hard coded c2 server uses an IP address that is assigned for private use, which means there is no way to connect over the internet. This is expected to change in another build, along with the utilization of the CreateShare functionality built in.
Thanks to Bleepingcomputer, we have an English translation of the Arabic ransom note. Provided images also some from there. It reads:
“Your files have been encyrpted, decoding Falaksa Mobilis follow address [email protected]”
The message also shows when the victim logs into their Windows account. It does this by saving a .exe file to the Startup folder, displaying a Pikachu and red text. Not much is known about the developer, but it speculated that he comes from Algeria.
A legitimate Windows beta for the game can be found here.