Gamers may soon be feeling the pain of crypto-ransomware.
A variant of CryptoLocker is in the wild that goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users.
Researchers at Bromium today said an unnamed compromised website is serving the malware. Victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant.
“The website is based on WordPress and could have been compromised by any one of the numerous WP exploits,” wrote Vadim Kotov in an advisory for Bromium. “Additionally, the URL where the malicious Flash file is hosted keeps changing.”
Kotov said the attackers forgo typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection. The malware proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311 or an Internet Explorer exploit CVE-2013-2551.
The malware behaves like a typical CryptoLocker infection, presenting the victim with a banner explaining that files have been encrypted, and a ransom must be paid with Bitcoin in order for a decryption key to be sent to the victim. There are also instructions to make payments over Tor if the decryption site is not working.
More than 50 file extensions associated with video games are targeted by this variant, in addition to images, documents, iTunes files and more. A number of popular single-player games including Call of Duty, Minecraft, Half Life 2, Elder Scrolls, Skyrim, Assassin’s Creed and others are affected, as are online games such as World of Warcraft, Day Z and League of Legends, as well as a number of EA Sports, Valve and Bethesda games. Steam gaming software is also in the crosshairs, Bromium said.
“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” Kotov wrote. “Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.”
Some of the files the variant goes after are often impossible to restore; those include user profile data, saved games, in-game maps and mods, Kotov wrote.
The Bromium advisory goes into more detail about command and control communication and encryption mechanisms. The experts advise gamers to back up their files on an external hard drive that is not connected to the Internet.
“As more file categories are infected, a broader audience is affected,” Kotov said. “The attackers are also getting better at incorporating BitCoin code directly into their projects, which isn’t a good sign.”