New Crypto-Ransomware Encrypts Video Game Files

An anonymous reader writes A new piece of ransomware that (mis)uses the Cryptolocker "brand" has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software. It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim-related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin's Creed, S.T.A.L.K.E.R., Resident Evil 4, Bioshock 2; and online games World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2. Here's the Bromium Labs report.

Just re-download it?

[Anonymous Coward]

Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

Re:

[tysonedwards]

They think that the whole world is on 1.5Mbps connections, and make them all suffer with their redownloading of 100GB of Star Citizen, or 33GB of WoW, or ... Make it too painful, so they pay a pittance to be able to play again sometime this month.

Re:

[Anonymous Coward]

Homer: New York is a hellhole. And you know how I feel about hellholes.
Lisa: Dad, you can't judge a place you've never been to.
Bart: Yeah, that's what people do in Russia.

Re:

[mlts]

It doesn't seem like much of a step, but it is an advance for the bad guys.

As always, even though save game files may not be something people consider as valuable, it is still something that can be lost.

Ransomware seems like it is just starting to ramp up this year. I would not be surprised to see the next generation of it starts checking if the user has any AD rights and attacks entire AD forests. A company that loses access to AD (especially if they use rights management servers) likely will pay a crimi

Re:

[dbIII]

The ironic thing is that tape drives are starting to see a resurgence

Good. It will make things cheaper for those of us that never stopped using them. LTO5 can write faster than a gigabit network can feed the computer it's hooked up to, and LTO6 is apparently even faster.

Re:Just re-download it?

[fuzzyfuzzyfungus]

Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

Also, targeting fanatical TES players makes a visit from the Dark Brotherhood a virtual certainty.

"Sweet mother, sweet mother, send your child unto me..."

Re:

[vux984]

Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

Presumably they'd be targeting the save games.

Given that PC gamers are by and large usually at least a bit technically savvy, and often very savvy going after the executables doesn't seem like a winning strategy. You'd catch someone I'm sure... but only a fraction of the audience would even care.

Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).

Re:

[mattventura]

Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).

Exactly, it would be far more profitable for them to simply steal any saved account credentials.

Steam Cloud to the rescue?

[Jesus_666]

I wonder if Valve will expand the Steam Cloud in response. Steam already warns you on game launch if your savegames don't match what's in the cloud so broken savegames can be recovered as long as you don't sync. The flaw in that is that syncing happens whenever you exit the game so you'd have to force-kill Steam if you notice that everything is corrupt. (Perhaps this only applies if your game actually saved something but some games are very save-happy.)

If Valve adds a simple versioning system, even if it

Re:

[CronoCloud]

Doesn't most of these ransomware things also lock down the machines network connection for anything else other than paying the ransom?

Re:

[RavenLrD20k]

For you and me, this is a non-issue. Games are supposed to be fun. For my roommate who's a real achievement/gamerscore whore, I'd have to hear him bitching about him having to re-do all the back-bending he's done to get those obscure achievements. He goes after these things like he's actually making money off of them, instead of realizing that it's sucking his wallet and soul dry. For people like that, games are work; while they'll say they're having fun, their attitude doesn't show it one bit.

Conspiracy theory

[mattventura]

All of these crypto ransomware things are actually a plot to make people associate "encryption" with something bad, so that people will stop using things like encrypted-by-default phones.

Javascript and Flash and Windows and IExplorer

[DougPaulson]

> Gosh. Javascript and Flash. Two great tastes that broke the web together.

Re:

[lister king of smeg]

It says this malware refuses to do anything if it detects VM. How to make my computer look like a VM?

My first guess is install vmware tools so it looks like a guest os?

I have actually wondered why they wouldn't check for things like that and use them as an attack vector for the host computer.

Re:

[mattventura]

Looking at the Bromium report, it appears that it's checking for various drivers that Vm programs would typically install as part of their guest tools. It looks like if you were to install something as simple as the VMware mouse driver it would think you're in VMware. It also checks for Fiddler so you could simply install that.

Re:

[account_deleted]

Comment removed based on user account deletion

Hitman pro

[thrill12]

apparently already blocks this Teslacrypt [twitter.com] variant. Finding niches in the world to exploit becomes a sport it seems, I wonder what the next niche will be. I will be busy asserting my Linux security in the meanwhile.

Wheew!!!

[tekrat]

As long as it doesn't affect DOOM. And by that I mean the original, which I'm still playing after 2 decades.

Re:

[antdude]

Playing external WADs, Dehacked, mods, online, etc.? ;)

Too much pretty graphics

[Hey_bob]

At least I'll be able to keep playing Dwarf Fortress and NetHack for another 10mins, until I die. Again.
YASD.. fun!

Re:

[loonycyborg]

With dwarf fortress it'll be a lot more than 10mins, unless you embark on a glacier or something :P

So, it's the same thing

[TJ_Phazerhacki]

This sounds like the same sort of thing that has been plaguing 'normal' users for the last 2 years, except now, instead of locking down Word docs and photos, it's killing game save files.

Betcha their ransom pay rate is way higher with gamers. Smart move, fuckers...

Re:

[thegarbz]

Looking at some of the games on the list I think I would pay them not to decrypt the files.

Maybe play parents and kids off against each other. Keep having each party bid as to whether the son gets to spend his life playing WoW again.

Sniper Elite 3

[TechyImmigrant]

So long as they leave Sniper Elite 3 alone, I'm safe.

Re:

[TechyImmigrant]

I guess you get two chances before you're out.

Output of the human race spikes up momentarily

[linear a]

While all the game files download again.

Diablo??

[captain_nifty]

It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...

Seriously Diablo?? WTF is that a typo and supposed to be DIablo II or 3, are people still playing single player Diablo, a few years back I installed it in a VM to get some nostalgic gameplay and it was horrible.

Re:

[Whorhay]

It could be Diablo 3 files though that'd be pointless as they could be just downloaded again. The saves for D3 are all kept on Blizzards servers, this possibly being the only upside for the consumer of their DRM scheme.

Diablo 1 or 2 could make sense as those allowed for save games on your computer. However that seems rather pointless also as there has been software for decades now to create your own save files with all the equipment you could ever want.

Re:Simcity? Does it go after my Simcity files?

[He Who Has No Name]

Yes, but compared to what EA did to the game, it causes hundreds of dollars in improvement.

Re:

[rogoshen1]

only if you type in swear words.

Bromium?

[DiSKiLLeR]

Are they a venture backed startup full of bronies?

They just jumped the shark

[spacepimp]

Nobody is going to pay to get their saved game data back. Plus gamers have no money,.

Re:

[Whorhay]

The demographics for gamers has been changing for a long while now. There is a large portion of that group that probably does lack disposable income to buy back save game files. But there is also a very large grouping that likely has money to ransom their save game files. I work with lots of 25-40 year olds that play video games and make proffesional white collar wages.

Per file AES

[OverlordQ]

So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?

Re:

[PRMan]

If you can guess the exact contents of any 2 files, you should be able to reverse engineer the key. Probably impossible though.

Re:

[Anonymous Coward]

The AES key used to encrypt the files is randomized per-file, so there shouldn't be any files encrypted with the same key. The AES key is pre-pended to each file encrypted by some flavor of asymmetric encryption (I think RSA but I'm not 100% on that). They download and use the 'public' half of the key on your computer, matching up with the private key on their own servers. You pay the ransom, it sends the private key to your computer and uses it to decrypt the individual AES keys, wham bam thank you sir.

Re:

[OverlordQ]

Ok, that makes more sense. That dual symmetric-asymmetric was missing from one of the writeups.

Re:

[lister king of smeg]

So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?

or are all of the keys are stored in a encrypted keyring where the key they give you unlocks all of the keys in the keyring which then unlocks all of your files.

not WoT! :(

[ihtoit]

out of all the games listed, that's the only one I actually play!

this may sound dumb

[desdinova 216]

but doesn't WoW and all MMO games save all character data on the server?

Oh no! Please don't encrypt my WoW files!

[Sycraft-fu]

I mean it isn't like it is an online game where Blizzard stores all your character data, key settings, macros and other stuff on the server! Oh, wait, yes it is.

Seriously, why would they do WoW? You just run a repair in the Blizzard client, redownload any mods, and you are up and running. They do it so you can easily play on multiple computers.

Re:

[Anonymous Coward]

WoW has bloated significantly over its lifespan. People with a slower Internet connection will have to wait quite a long time for it to re-download. All while paying Blizzard for access to a service they can't use. Not to mention WoW-addiction. Some might be tempted to pay to speed things up.

Re:

[kit_triforce]

This is why I still play RuneScape.

Re:

[Mashiki]

Well 5-6? expansions, new assets, and so-on will cause bloat.

Dang....

[Ferretman]

Gotta give them credit, that's clever.

Ferret

Which games now?

[flopsquad]

It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...

So this is how Tristram falls...