New “Pokemon Go-themed” Ransomware Uncovered, Installs Backdoor Windows Account

Recently, the Pokemon Go game became so popular with its augmented reality technology, that cybercriminal couldn’t have missed the change to take advantage of its success.

Crooks have created a Pokemon Go-themed piece of ransomware which doesn’t only encrypt victims` files in the old-fashioned way, but it is also interested in creating back door accounts on the targeted devices as well as data exfiltration.

The security researcher, Michael Gillespie, was the one to uncover the new ransomware but Bleeping Computer team were the ones to analyze it. According to them, the Pokemon Ransomware is still a work in progress but it is preparing for a huge distribution campaign.

The ransomware is being spread via a Windows executable named PokemonGo.exe, which includes a Pikachu icon. The encryption process starts when the executable is launched.

According to security experts, the Pokemon ransomware has some things in common with the Hidden Tear project, which was released last year and known to contain a backdoor encryption.

When the encryption process is over, the Pokemon ransomware adds a registry key that creates and then hides a Windows admin account called “Hack3r”. It also makes a copy of itself to the root of all fixed drives and adds an autorun entry in order to start. This way, in case of PC reboots, it will remain intact. Furthermore, it copies itself on removable drives and adds an autorun file there as well, making sure that if a portable device is inserted on another PC, its executable would launch.

Security analysts are pretty sure that the ransomware isn’t fully developed yet. What made them believe this is just a sample version is the fact that Pokemon ransomware`s encryption system uses a static encryption key of “123vivalalgerie”. Moreover, it tries to connect to a C&C server located at the “10.25.0.169” IP address, which is, in fact, not reachable via the Internet. It is a private IP address assigned for usage inside privately routed networks only.

The ransomware’s ransom screen and note are only available in Arabic, at least at this point. However, taking the AES encryption key, which mentions Algeria and the usage of French and Arabic text, researchers may be able to find some information about the creator`s location.

If, later on, Pokemon and Pikachu cues are used in different ransomware versions, users can find out if they`ve been hit by this ransomware based on the ransom note. In it, all victims are asked to contact the hacker via email at blackhat20152015@gmail.com.

Taking into consideration the ransomware`s connection to Hidden Tear, all victims are strongly advised not to pay the ransom sum demanded but check whether a free decrypter is available online.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.