Pokémon GO for Windows ransomware uncovered

The hack uses AES encryption to lock the files and will then demand the payment

Malware researcher Michael Gillespie has uncovered a ransomware attack that's disguised as a Pokmon GO app for Windows.

The Hidden-Tear ransomware, which appears to target Arabic-speaking users, encrypts files from Microsoft Office in particular, making them useless unless the victim pays the criminal to unlock them.

After launching, the ransomware sends out the message: "Your files have been encrypted, decoding Falaksa Mobilis following address me.blackhat20152015@mt2015.com and thank you in advance for your generosity," in Arabic.

"On closer look, it is apparent that this developer has put in extra time to include features that are not found in many, if any, other ransomware variants," Lawrence Abrams wrote on Bleeping Computer.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"These features include adding a backdoor Windows account, spreading the executable to other drives, and creating network shares. It also appears that the developer isn't done yet as the source code contains many indications that this is a development version."

The backdoor account the ransomware creates allows the hacker to access the user's computer if they wish in future. It will create a user account named Hack3r, making it an administrator of the host computer. However, this account is hidden, so the user can't see it in the list of admins.

The ransomware spreads itself by copying the executable file to all removable drives. Whenever a USB drive is plugged into the computer, the ransomware is activated and will make a copy of itself on the root of any fixed disk other then the C: drive, which will then autorun when a user logs into Windows.

Abrams explained it is likely the person behind the ransomware is still developing the tool, because not only are they using a static AES key of 123vivalalgerie (also suggesting the hacker is Algerian), but the hard coded command and control (C2) server the criminal uses is an IP address that is assigned only for private use.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020