Emergence of gaming ransomware

By Nilesh Jain

Ransomware has already been an insidious entity in the realm of cyber security and now there is yet another nasty variant that has popped up and wants to play games with digital gamers. These are peculiar gaming ransomware that scrambles hard drive’s MBR. Many gamers may be of the opinion that they do not have files that could be encrypted by hackers to tempt them to pay ransom to get those files decrypted. However what would a player do if it was a saved game, or mods, DLC or a steam account, which was held for ransom?

Thriving on the infamy of Cryptolockers, TeslaCrypt is a form of crypto-ransomware. It targets over 50 file extensions related to video games including Steam, single and multiplayer games, and even game development software and sets a three-day timer to pay up. While TeslaCrypt mostly aims at file types associated with video games than we have ever seen, it also targets 185 file extensions, including documents, photos and iTunes. Recently we got our hands on a full list of targeted games and affected gaming software. Some of them Single user games and some are online games; Call of Duty, Start Craft 2, Diablo, Fallout 3, Minecraft, Half-line 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin’s Creed, S.T.A.L.K.E.R., Resident Evil 4 and Bioshock 2 are some single user games which are affected. Similarly in online games World of Warcraft, Day Z, League of Legends, World of Tanks and Metin2 are games which have been affected by TeslaCrypt.

Furthermore, the most preferred mode of payment in such attacks is Bitcoins, where the value of 1.5 Bitcoins ranges between $451 and $ 430. The audacious TeslaCrypt also allows it victims to decrypt one file for free to prove that they can indeed decrypt files. Additionally it also comes with a support feature, which is a message system that allows a victim to communicate privately with the malware developers. Similarly there is yet another form of ransomware viz. Jigsaw ransomware. After Jigsaw encrypts the files, it gives 24 hours to figure out how to purchase $150 worth of Bitcoin and send it to a specified address. Other ransomware strains have tried to intimidate victims into paying up by jacking up the ransom amount more and more as time passes. Jigsaw takes a different approach: it starts deleting the encrypted files.

It is easier to recommend sufferers to not pay the ransom as it is not our own files being held hostage. However, not paying is in the best interest of the victims. They should ensure that their files are backed up and are stored in an external hard drive that is not plugged in to the computer when they are online. People should also be careful with their DropBox and other cloud services, because if they have folders synchronized with an online storage, there is every possibility that malwares will get to them too.

Such occurrences clearly demonstrate the constant evolution of crypto-ransomware as cybercriminals target new niches. Young adults mostly do not carry any crucial documents or source code on their machine, but surely most of them have a Steam account with a few games and an iTunes account full of music. Losing personal data could get non gamers also frustrated by these attacks. Although there is no assurance that the files encrypted or deleted can be restored, one can try restoring files from a backup or try restoring file using Shadow Explorer.

The author is Country Manager (India and SAARC), Trend Micro