A ransomware that calls itself “Syrk” is targeting gaming juggernaut Fortnite’s enormous user base, purporting to be a game hack tool.
Syrk promises players an “aimbot” for aiming more accurately while playing, and “ESP,” for discovering other player’s locations in the game. What it really gives them is a headache of a computer infection that locks up their machines and demands a ransom. If left unpaid, Syrk will delete batches of files every two hours.
According to an analysis on Tuesday by researchers at Cyren, Syrk ransomware is actually the Hidden-Cry ransomware that’s been given a .Syrk extension.
“The source code for Hidden-Cry is readily available, having been shared on Github at the end of last year,” the researchers noted, adding that the reskinned malware could begin cropping up in many different places. “We expect [Syrk] to possibly be distributed via an upload to a sharing site and the link posted in Fortnite users in forums,” they said.
Once the payload is executed, it connects to a command-and-control (C2) server and disables Windows Defender and UAC through a registry tweak. It then sets about encrypting a range of file types, including *.gif, *.sln, *.docx, *.php, *.psd, *.ico, *.mov, *.xlsx, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.pptx, *.ppt, *.txt, *.png, *.bmp, *.rar, *.zip, *.mp3, *.mp4 and *.avi. It gives the encrypted files the .syrk extension.
It also monitors for Taskmgr, Procmon64 and ProcessHacker, which could interrupt its processes.
“The next step is it will set a timed procedure to try and delete the encrypted files in the directories listed below, deleting the files every two hours in the following order: %userprofile%\Pictures; %userprofile%\Desktop; and %userprofile%\Documents,” the researchers wrote.
At the same time, it starts using LimeUSB_Csharp.exe to infect USB drives if they exist.
“Combining game malware with ransomware was inevitable,” Chris Morales, head of security analytics at Vectra, told Threatpost. “Social engineering through online video games has been going on for some time [including around Fortnite]. It is a large audience to target and an industry that is known to look for shortcuts. Malware posing as a hack tool is novel as it will not be validated by any app store and bypasses the normal security controls. This makes encrypting files using a game hack highly opportunistic and easy to execute.”
He added, “This ransomware is effectively cheating the cheater.”
The good news is that Cyren researchers found that it’s possible to both decrypt the encrypted files, and recover those that were deleted.
“The file dh35s3h8d69s3b1k.exe is the Hidden-Cry decrypting tool, and can be found as one of the resources embedded in the main malware,” they explained. “Since the key used is already known, it can be used to create a PowerShell script based on the shared source of the Hidden-Cry decrypter. To do this, extract the embedded file dh35s3h8d69s3b1k.exe and execute the file in the infected machine. It will drop the necessary PowerShell script needed to decrypt the files.”
As for recovery, “One principle feature of the Hidden-Cry ransomware is that, as seen in the instructions shown, is the sense of urgency it creates in the victim by deleting files every two hours,” they wrote. “However, we believe it is possible for victims to recover deleted files, given the simple method used to delete the files.” Threatpost has asked for more details on that process and will update this post accordingly.
Fortnite has become a global phenomenon, claiming to have 250 million players (the Fortnite World Cup also just ended, which offered a $30 million prize pool — indicative of its popularity).
Alex Guirakhoo, strategic intelligence analyst at Digital Shadows, told Threatpost that cybercriminals are always interested in the gaming world, and especially those with large, invested communities.
“The video game industry, and gamers in general, are lucrative targets for cybercriminals,” he said. “Gamers are attractive targets for this kind of attack as they likely have computers with powerful graphics cards, which are heavily sought after for cryptocurrency mining because of their performance. A lot of this builds on the wide media attention that popular games receive on social media and sites such as Twitch or YouTube. The more attention a game gets because of a new release or update, the more likely it is that a cybercriminal will be able to successfully distribute malware.”
For example, trojans like MonsterInstall have been distributed on websites which claim to offer hacks and cheats for various popular and competitive video games like CS:GO, Minecraft and FIFA.
“When trying to download a hack, the user instead downloads a password-protected 7ZIP archive, which contains the purported hack files as well as the MonsterInstall trojan,” Guirakhoo said. “The trojan then acts as a downloader for a malicious cryptocurrency miner.” He added, “Additionally, we’ve also seen threat actors hijack game updates to push malware, or distribute malware disguised as legitimate apps for popular games like Fortnite or Apex Legends.”
Further, financially motivated types aren’t the only ones eyeing the gamer community.
“Even advanced nation-state threat actors like the China-linked Winnti Group and APT41 see this sector and demographic as lucrative: They have conducted supply chain compromise attacks by targeting video game distributors for popular games like League of Legends or Path of Exile,” he explained.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.