The notorious Chaos ransomware gang is targeting Minecraft gamers through malicious ‘alt’ (alternative account) list files.
- FortiGuard Labs have identified a Minecraft forum file infected with Chaos ransomware.
- This variant not only encrypts certain files but also destroys others, rendering them unrecoverable.
The notorious Chaos ransomware gang is targeting Minecraft gamers through malicious ‘alt’ (alternative account) list files.
Minecraft is a sandboxed game that is wildly popular around the world, with 140 million active users.
FortiGuard Labs discovered a variant of the Chaos ransomware that appears to target Minecraft gamers in Japan.
“This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data. In this report, we will take a look at how this new ransomware variant works.” reads the analysis published by the experts.
The lure used by the threat actors are 'alt list' text files that supposedly contain stolen Minecraft account credentials, but in reality, is Chaos ransomware executable.
Minecraft players who want to troll or antagonise other players without the risk of their accounts being banned will sometimes use 'alt' lists to find stolen accounts that they can use for bannable offences.
The variant of Chaos ransomware spotted by the researchers was hidden in a file pretending to contain a list of “Minecraft Alt” accounts.
Upon unlocking the executable file, the malware will be implemented and searches for files smaller than 2,117,152 bytes on the compromised machine to encrypt them. The ransomware appends four random characters, chosen from “abcdefghijklmnopqrstuvwxyz1234567890,” to the filename of the encrypted files.
Files larger than 2,117,152 bytes with selected file extensions are loaded with random bytes making it impossible to recover them without paying the ransom. Like other ransomware, this variant of the Chaos ransomware also deletes shadow copies from the compromised machines.
The gang is demanding 2,000 yen (~$17.56) worth of Bitcoin or pre-paid cards.
The ransom note, written in Japanese, states that the attacker can only be reached on Saturdays and apologises for any inconvenience caused.
Users should be suspicious of and not execute any files they download from the Internet unless they trust the site and have scanned it.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?