New Crypto-Ransomware Encrypts Video Game Files

← Back to Stories (view on slashdot.org)

New Crypto-Ransomware Encrypts Video Game Files

Posted by timothy on Thursday March 12, 2015 @09:36AM from the first-world-problems dept.

An anonymous reader writes A new piece of ransomware that (mis)uses the Cryptolocker "brand" has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software. It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim-related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin's Creed, S.T.A.L.K.E.R., Resident Evil 4, Bioshock 2; and online games World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2. Here's the Bromium Labs report.

73 comments

Min score:

Reason:

Sort:

Just re-download it? by Anonymous Coward · 2015-03-12 09:39 · Score: 1

Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.
1. Re:Just re-download it? by Anonymous Coward · 2015-03-12 09:46 · Score: 0
  
  No shit, doesn't Steam store the vast majority of its save files in the cloud anyway? The hell do these idiot, likely drunk Russian, "hackers" think they'll accomplish?
2. Re: Just re-download it? by Anonymous Coward · 2015-03-12 09:53 · Score: 0
  
  Cloud backs up encrypted save. Then it tells you the save is corrupted.
  Not very useful unless you knew in advance and disconnected before the backup happens. Which is every time you close a game.
3. Re:Just re-download it? by tysonedwards · 2015-03-12 09:55 · Score: 1
  
  They think that the whole world is on 1.5Mbps connections, and make them all suffer with their redownloading of 100GB of Star Citizen, or 33GB of WoW, or ... Make it too painful, so they pay a pittance to be able to play again sometime this month.
  
  --
  Thirty four characters live here.
4. Re:Just re-download it? by mlts · 2015-03-12 10:07 · Score: 2
  
  It doesn't seem like much of a step, but it is an advance for the bad guys.
  As always, even though save game files may not be something people consider as valuable, it is still something that can be lost.
  Ransomware seems like it is just starting to ramp up this year. I would not be surprised to see the next generation of it starts checking if the user has any AD rights and attacks entire AD forests. A company that loses access to AD (especially if they use rights management servers) likely will pay a criminal organization top BTC to get their access back.
  The ironic thing is that tape drives are starting to see a resurgence. The market share for tape drives grew 13% in 2013, and 26% in 2014 (as per Extremetech). Add Sony's sputtered deposition technology (similar to how some high-end studio microphone elements are made) that offers 185 terabytes per cartridge, and we have a decent tool to combat ransomware.
  Of course, the best solution for a small installation is a dedicated backup server that pulls backups (optionally encrypted), and plops data on a disk array as well as tape. Tape isn't perfect, but its advantage is that it is easily stored offline, where physical presence is needed to put a tape in, and cartridges have a read/write switch that is honored, barring a covert reflash of the tape drive's firmware. For larger installations, it is hard to beat WORM media, SPIN/SPOUT encryption on the drives, and silos.
5. Re: Just re-download it? by Anonymous Coward · 2015-03-12 10:10 · Score: 0
  
  Steam will ask you what to do in the event of conflict or corruption.
6. Re:Just re-download it? by fuzzyfuzzyfungus · 2015-03-12 10:19 · Score: 3, Funny
  
  Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.
  Also, targeting fanatical TES players makes a visit from the Dark Brotherhood a virtual certainty.
  
  "Sweet mother, sweet mother, send your child unto me..."
7. Re:Just re-download it? by vux984 · 2015-03-12 10:25 · Score: 2
  
  Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.
  Presumably they'd be targeting the save games.
  Given that PC gamers are by and large usually at least a bit technically savvy, and often very savvy going after the executables doesn't seem like a winning strategy. You'd catch someone I'm sure... but only a fraction of the audience would even care.
  Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).
8. Re:Just re-download it? by CronoCloud · 2015-03-12 10:48 · Score: 1
  
  Doesn't most of these ransomware things also lock down the machines network connection for anything else other than paying the ransom?
9. Re:Just re-download it? by mattventura · 2015-03-12 11:12 · Score: 2
  
  Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).
  Exactly, it would be far more profitable for them to simply steal any saved account credentials.
10. Re:Just re-download it? by Anonymous Coward · 2015-03-12 12:20 · Score: 1
  
  Homer: New York is a hellhole. And you know how I feel about hellholes.
  Lisa: Dad, you can't judge a place you've never been to.
  Bart: Yeah, that's what people do in Russia.
11. Re:Just re-download it? by Anonymous Coward · 2015-03-12 14:16 · Score: 0
  
  I believe it encrypts the savegame state/checkpoint files that enable you to resume gameplay? If so, good luck re-downloading those!
12. Re:Just re-download it? by dbIII · 2015-03-12 17:37 · Score: 1
  
  The ironic thing is that tape drives are starting to see a resurgence
  Good. It will make things cheaper for those of us that never stopped using them. LTO5 can write faster than a gigabit network can feed the computer it's hooked up to, and LTO6 is apparently even faster.
Oh noooo. by Anonymous Coward · 2015-03-12 09:39 · Score: 0

Oh nooo, you say you'll delete my precious game progress and make me play it again and have fun?
How awful.
1. Re:Oh noooo. by RavenLrD20k · 2015-03-13 02:26 · Score: 1
  
  For you and me, this is a non-issue. Games are supposed to be fun. For my roommate who's a real achievement/gamerscore whore, I'd have to hear him bitching about him having to re-do all the back-bending he's done to get those obscure achievements. He goes after these things like he's actually making money off of them, instead of realizing that it's sucking his wallet and soul dry. For people like that, games are work; while they'll say they're having fun, their attitude doesn't show it one bit.
encrypted first psot by Anonymous Coward · 2015-03-12 09:40 · Score: 0

its still the first encrypted one!
Conspiracy theory by mattventura · 2015-03-12 09:43 · Score: 3, Interesting

All of these crypto ransomware things are actually a plot to make people associate "encryption" with something bad, so that people will stop using things like encrypted-by-default phones.
Seems silly... by Anonymous Coward · 2015-03-12 09:44 · Score: 0

"I know what will really hurt them... I'll encrypt all of the files that are automatically synced to the cloud and can be easily re-downloaded! Bwuahahaha!"
Seriously, all of those are things that I keep on my non-backed up spinner drive since they're considered expendable.
Javascript and Flash by Anonymous Coward · 2015-03-12 09:47 · Score: 0

Gosh. Javascript and Flash. Two great tastes that broke the web together.
VM by Anonymous Coward · 2015-03-12 09:48 · Score: 0

It says this malware refuses to do anything if it detects VM. How to make my computer look like a VM?
1. Re:VM by Anonymous Coward · 2015-03-12 09:50 · Score: 0
  
  By switching to FreeBSD
2. Re: VM by Anonymous Coward · 2015-03-12 10:40 · Score: 0
  
  Have you tried, perhaps, running it as a VM?
3. Re:VM by lister+king+of+smeg · 2015-03-12 10:47 · Score: 1
  
  It says this malware refuses to do anything if it detects VM. How to make my computer look like a VM?
  My first guess is install vmware tools so it looks like a guest os?
  I have actually wondered why they wouldn't check for things like that and use them as an attack vector for the host computer.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
4. Re:VM by mattventura · 2015-03-12 11:15 · Score: 2
  
  Looking at the Bromium report, it appears that it's checking for various drivers that Vm programs would typically install as part of their guest tools. It looks like if you were to install something as simple as the VMware mouse driver it would think you're in VMware. It also checks for Fiddler so you could simply install that.
5. Re: VM by Anonymous Coward · 2015-03-12 12:06 · Score: 0
  
  Yeah, it deletes itself.
  How to trigger this response from a regular install?
  I'm guessing you could load up the registry with drivers for VM. As long as you don't remove the real entries and as long as you don't have those virtual drivers then it won't do anything except look like a VM.
  But IDK if this malware detects VM through registry or some other way.
6. Re: VM by DigiShaman · 2015-03-12 17:04 · Score: 1
  
  If it got installed in the first place, the damage is already done. It won't decrypt files on the way out of its own accord or via forced removal.
  
  --
  Life is not for the lazy.
Hitman pro by thrill12 · 2015-03-12 09:51 · Score: 1

apparently already blocks this Teslacrypt variant. Finding niches in the world to exploit becomes a sport it seems, I wonder what the next niche will be. I will be busy asserting my Linux security in the meanwhile.

--
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Wheew!!! by tekrat · 2015-03-12 09:51 · Score: 4, Funny

As long as it doesn't affect DOOM. And by that I mean the original, which I'm still playing after 2 decades.

--
If telephones are outlawed, then only outlaws will have telephones.
1. Re:Wheew!!! by Anonymous Coward · 2015-03-12 09:58 · Score: 0
  
  You don't use a source port? Wow, hardcore.
2. Re:Wheew!!! by antdude · 2015-03-12 15:10 · Score: 1
  
  Playing external WADs, Dehacked, mods, online, etc.? ;)
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Too much pretty graphics by Hey_bob · 2015-03-12 09:54 · Score: 3, Interesting

At least I'll be able to keep playing Dwarf Fortress and NetHack for another 10mins, until I die. Again.
YASD.. fun!
1. Re:Too much pretty graphics by loonycyborg · 2015-03-12 14:13 · Score: 1
  
  With dwarf fortress it'll be a lot more than 10mins, unless you embark on a glacier or something :P
So, it's the same thing by TJ_Phazerhacki · 2015-03-12 09:56 · Score: 2

This sounds like the same sort of thing that has been plaguing 'normal' users for the last 2 years, except now, instead of locking down Word docs and photos, it's killing game save files.
Betcha their ransom pay rate is way higher with gamers. Smart move, fuckers...

--
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
1. Re:So, it's the same thing by thegarbz · 2015-03-12 16:30 · Score: 1
  
  Looking at some of the games on the list I think I would pay them not to decrypt the files.
  Maybe play parents and kids off against each other. Keep having each party bid as to whether the son gets to spend his life playing WoW again.
Sniper Elite 3 by TechyImmigrant · 2015-03-12 09:56 · Score: 1

So long as they leave Sniper Elite 3 alone, I'm safe.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:Sniper Elite 3 by Anonymous Coward · 2015-03-13 13:59 · Score: 0
  
  You mean Testicle Shooter 3? Great game. Zombie Army Testicle Shooter just came out, also.
2. Re:Sniper Elite 3 by TechyImmigrant · 2015-03-15 13:31 · Score: 1
  
  I guess you get two chances before you're out.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Output of the human race spikes up momentarily by linear+a · 2015-03-12 09:58 · Score: 1

While all the game files download again.
1. Re:Output of the human race spikes up momentarily by Anonymous Coward · 2015-03-12 10:31 · Score: 0
  
  No way. I'm ripping the bong and eating a bowl of cereal while I wait.
Hey guys by Anonymous Coward · 2015-03-12 09:59 · Score: 0

Just woke up from a long nap. Whats going on? I cant log into my rocketmail :(
No write access for you by Anonymous Coward · 2015-03-12 10:02 · Score: 0

Give static assets read access for the User account and Users group. Give modify access for the Administrator account and Administrators group. When updates come, run the game as Administrator.
It would be nice if the game developer would be clear about storing static files in specific areas, because you can't set everything as read access only blindly.
Diablo?? by captain_nifty · 2015-03-12 10:03 · Score: 1

It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...
Seriously Diablo?? WTF is that a typo and supposed to be DIablo II or 3, are people still playing single player Diablo, a few years back I installed it in a VM to get some nostalgic gameplay and it was horrible.
1. Re:Diablo?? by Anonymous Coward · 2015-03-12 23:42 · Score: 0
  
  That's your opinion. I'm playing Diablo Hellfire right now on Win 7 and having a blast.
2. Re:Diablo?? by Whorhay · 2015-03-13 01:56 · Score: 1
  
  It could be Diablo 3 files though that'd be pointless as they could be just downloaded again. The saves for D3 are all kept on Blizzards servers, this possibly being the only upside for the consumer of their DRM scheme.
  Diablo 1 or 2 could make sense as those allowed for save games on your computer. However that seems rather pointless also as there has been software for decades now to create your own save files with all the equipment you could ever want.
Simcity? Does it go after my Simcity files? by Anonymous Coward · 2015-03-12 10:03 · Score: 0

Concerned.
1. Re:Simcity? Does it go after my Simcity files? by He+Who+Has+No+Name · 2015-03-12 10:07 · Score: 3, Funny
  
  Yes, but compared to what EA did to the game, it causes hundreds of dollars in improvement.
2. Re:Simcity? Does it go after my Simcity files? by rogoshen1 · 2015-03-12 10:24 · Score: 1
  
  only if you type in swear words.
Bromium? by DiSKiLLeR · 2015-03-12 10:04 · Score: 1, Troll

Are they a venture backed startup full of bronies?

--
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
1. Re:Bromium? by Anonymous Coward · 2015-03-12 13:40 · Score: 0
  
  why is this modded Troll? It is serious question I too had when i first read that.
They just jumped the shark by spacepimp · 2015-03-12 10:16 · Score: 1

Nobody is going to pay to get their saved game data back. Plus gamers have no money,.
1. Re:They just jumped the shark by Anonymous Coward · 2015-03-12 13:31 · Score: 0
  
  Nobody is going to pay to get their saved game data back.
  You forgot to mention that Nobody falls for 419 scams, too!
  Nobody is apparently keeping a lot of scammers in business. ;)
2. Re:They just jumped the shark by Whorhay · 2015-03-13 02:01 · Score: 1
  
  The demographics for gamers has been changing for a long while now. There is a large portion of that group that probably does lack disposable income to buy back save game files. But there is also a very large grouping that likely has money to ransom their save game files. I work with lots of 25-40 year olds that play video games and make proffesional white collar wages.
Per file AES by OverlordQ · 2015-03-12 10:26 · Score: 1

So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?

--
Your hair look like poop, Bob! - Wanker.
1. Re:Per file AES by PRMan · 2015-03-12 10:39 · Score: 1
  
  If you can guess the exact contents of any 2 files, you should be able to reverse engineer the key. Probably impossible though.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
2. Re:Per file AES by lister+king+of+smeg · 2015-03-12 10:51 · Score: 1
  
  So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?
  or are all of the keys are stored in a encrypted keyring where the key they give you unlocks all of the keys in the keyring which then unlocks all of your files.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
3. Re:Per file AES by Anonymous Coward · 2015-03-12 11:00 · Score: 1
  
  The AES key used to encrypt the files is randomized per-file, so there shouldn't be any files encrypted with the same key. The AES key is pre-pended to each file encrypted by some flavor of asymmetric encryption (I think RSA but I'm not 100% on that). They download and use the 'public' half of the key on your computer, matching up with the private key on their own servers. You pay the ransom, it sends the private key to your computer and uses it to decrypt the individual AES keys, wham bam thank you sir.
  It's really ingenious, because short of snagging the AES key while it's actively encrypting the file there's really not any way to hack this.
4. Re:Per file AES by Anonymous Coward · 2015-03-12 12:02 · Score: 0
  
  If you can guess the exact contents of any 2 files, you should be able to reverse engineer the key.
  
  If this were possible, AES would be considered completely broken. Infact you don't need the exact contents of two files to do this for a broken block cipher, you only need 1 block, which for AES is 128 bits (16 bytes).
5. Re:Per file AES by OverlordQ · 2015-03-12 18:10 · Score: 1
  
  Ok, that makes more sense. That dual symmetric-asymmetric was missing from one of the writeups.
  
  --
  Your hair look like poop, Bob! - Wanker.
not WoT! :( by ihtoit · 2015-03-12 10:32 · Score: 1

out of all the games listed, that's the only one I actually play!

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Javascript and Flash and Windows and IExplorer by DougPaulson · 2015-03-12 10:39 · Score: 1

> Gosh. Javascript and Flash. Two great tastes that broke the web together.
this may sound dumb by desdinova+216 · 2015-03-12 10:43 · Score: 1

but doesn't WoW and all MMO games save all character data on the server?
1. Re: this may sound dumb by Anonymous Coward · 2015-03-12 12:18 · Score: 0
  
  For those it encrypts the whole install. Causing you to reinstall and update. WoW is over 30 Gigs so have fun waiting for that. WoW allows some LUA scripting for UI stuff( or at least they used to idk I never tried WoW). Any customizing you did is gone. But your account is safe.
2. Re: this may sound dumb by Anonymous Coward · 2015-03-12 19:15 · Score: 0
  
  No one is going to pay $500 to not re-install 30Gb ... are they ? I mean, you have to re-install anyway, your computer is pwned.
Oh no! Please don't encrypt my WoW files! by Sycraft-fu · 2015-03-12 10:47 · Score: 2

I mean it isn't like it is an online game where Blizzard stores all your character data, key settings, macros and other stuff on the server! Oh, wait, yes it is.
Seriously, why would they do WoW? You just run a repair in the Blizzard client, redownload any mods, and you are up and running. They do it so you can easily play on multiple computers.
1. Re:Oh no! Please don't encrypt my WoW files! by Anonymous Coward · 2015-03-12 11:04 · Score: 2, Interesting
  
  WoW has bloated significantly over its lifespan. People with a slower Internet connection will have to wait quite a long time for it to re-download. All while paying Blizzard for access to a service they can't use. Not to mention WoW-addiction. Some might be tempted to pay to speed things up.
2. Re:Oh no! Please don't encrypt my WoW files! by kit_triforce · 2015-03-12 11:18 · Score: 2
  
  This is why I still play RuneScape.
3. Re:Oh no! Please don't encrypt my WoW files! by Mashiki · 2015-03-12 12:40 · Score: 1
  
  Well 5-6? expansions, new assets, and so-on will cause bloat.
  
  --
  Om, nomnomnom...
Dang.... by Ferretman · 2015-03-12 14:18 · Score: 1

Gotta give them credit, that's clever.

Ferret

--
Sic gorgiamus allos subjectatos nunc
Which games now? by flopsquad · 2015-03-12 15:49 · Score: 1

It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...
So this is how Tristram falls...

--
Nothing posted to /. has ever been legal advice, including this.
Steam Cloud to the rescue? by Jesus_666 · 2015-03-12 18:08 · Score: 1

I wonder if Valve will expand the Steam Cloud in response. Steam already warns you on game launch if your savegames don't match what's in the cloud so broken savegames can be recovered as long as you don't sync. The flaw in that is that syncing happens whenever you exit the game so you'd have to force-kill Steam if you notice that everything is corrupt. (Perhaps this only applies if your game actually saved something but some games are very save-happy.)

If Valve adds a simple versioning system, even if it just offers the current version and the one before that, crypto-ransomware will become completely useless against Steam titles.

--
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
WoW by Anonymous Coward · 2015-03-12 23:38 · Score: 0

World of warcraft? what files on the client would you be afraid of losing? You could just reinstall the game and log in again, everything of importance is stored server-side as far as I know?
Try a BETTER version (Doom 3 Engine) by Anonymous Coward · 2015-03-13 03:20 · Score: 0

See subject & "Classic DOOM" -> http://www.moddb.com/mods/clas...
* :)
(It's what DOOM I/II should have been ALL along, albeit, rendered on the DOOM III Engine, instead...)
APK
P.S.=> IF you haven't tried it? I wager you'll like it... apk