Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Crypto-Ransomware Encrypts Video Game Files

Posted by timothy on from the first-world-problems dept.

An anonymous reader writes A new piece of ransomware that (mis)uses the Cryptolocker "brand" has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software. It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim-related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin's Creed, S.T.A.L.K.E.R., Resident Evil 4, Bioshock 2; and online games World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2. Here's the Bromium Labs report.

46 of 73 comments (clear)

  1. Just re-download it? by Anonymous Coward · · Score: 1

    Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

    1. Re:Just re-download it? by tysonedwards · · Score: 1

      They think that the whole world is on 1.5Mbps connections, and make them all suffer with their redownloading of 100GB of Star Citizen, or 33GB of WoW, or ... Make it too painful, so they pay a pittance to be able to play again sometime this month.

      --
      Thirty four characters live here.
    2. Re:Just re-download it? by mlts · · Score: 2

      It doesn't seem like much of a step, but it is an advance for the bad guys.

      As always, even though save game files may not be something people consider as valuable, it is still something that can be lost.

      Ransomware seems like it is just starting to ramp up this year. I would not be surprised to see the next generation of it starts checking if the user has any AD rights and attacks entire AD forests. A company that loses access to AD (especially if they use rights management servers) likely will pay a criminal organization top BTC to get their access back.

      The ironic thing is that tape drives are starting to see a resurgence. The market share for tape drives grew 13% in 2013, and 26% in 2014 (as per Extremetech). Add Sony's sputtered deposition technology (similar to how some high-end studio microphone elements are made) that offers 185 terabytes per cartridge, and we have a decent tool to combat ransomware.

      Of course, the best solution for a small installation is a dedicated backup server that pulls backups (optionally encrypted), and plops data on a disk array as well as tape. Tape isn't perfect, but its advantage is that it is easily stored offline, where physical presence is needed to put a tape in, and cartridges have a read/write switch that is honored, barring a covert reflash of the tape drive's firmware. For larger installations, it is hard to beat WORM media, SPIN/SPOUT encryption on the drives, and silos.

    3. Re:Just re-download it? by fuzzyfuzzyfungus · · Score: 3, Funny

      Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

      Also, targeting fanatical TES players makes a visit from the Dark Brotherhood a virtual certainty.

      "Sweet mother, sweet mother, send your child unto me..."

    4. Re:Just re-download it? by vux984 · · Score: 2

      Targeting files that can easily be replaced by exactly the same means that they were gotten in the first place doesn't seem like a super brilliant move.

      Presumably they'd be targeting the save games.

      Given that PC gamers are by and large usually at least a bit technically savvy, and often very savvy going after the executables doesn't seem like a winning strategy. You'd catch someone I'm sure... but only a fraction of the audience would even care.

      Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).

    5. Re:Just re-download it? by CronoCloud · · Score: 1

      Doesn't most of these ransomware things also lock down the machines network connection for anything else other than paying the ransom?

    6. Re:Just re-download it? by mattventura · · Score: 2

      Then again... only a fraction of the audience is really that invested in their save games. The truly valuable stuff (relatively speaking) is all tied to mmo accounts (and therefore not stored on your PC anyway).

      Exactly, it would be far more profitable for them to simply steal any saved account credentials.

    7. Re:Just re-download it? by Anonymous Coward · · Score: 1

      Homer: New York is a hellhole. And you know how I feel about hellholes.
      Lisa: Dad, you can't judge a place you've never been to.
      Bart: Yeah, that's what people do in Russia.

    8. Re:Just re-download it? by dbIII · · Score: 1

      The ironic thing is that tape drives are starting to see a resurgence

      Good. It will make things cheaper for those of us that never stopped using them. LTO5 can write faster than a gigabit network can feed the computer it's hooked up to, and LTO6 is apparently even faster.

  2. Conspiracy theory by mattventura · · Score: 3, Interesting

    All of these crypto ransomware things are actually a plot to make people associate "encryption" with something bad, so that people will stop using things like encrypted-by-default phones.

  3. Hitman pro by thrill12 · · Score: 1

    apparently already blocks this Teslacrypt variant. Finding niches in the world to exploit becomes a sport it seems, I wonder what the next niche will be. I will be busy asserting my Linux security in the meanwhile.

    --
    Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
  4. Wheew!!! by tekrat · · Score: 4, Funny

    As long as it doesn't affect DOOM. And by that I mean the original, which I'm still playing after 2 decades.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:Wheew!!! by antdude · · Score: 1

      Playing external WADs, Dehacked, mods, online, etc.? ;)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. Too much pretty graphics by Hey_bob · · Score: 3, Interesting

    At least I'll be able to keep playing Dwarf Fortress and NetHack for another 10mins, until I die. Again.
    YASD.. fun!

    1. Re:Too much pretty graphics by loonycyborg · · Score: 1

      With dwarf fortress it'll be a lot more than 10mins, unless you embark on a glacier or something :P

  6. So, it's the same thing by TJ_Phazerhacki · · Score: 2
    This sounds like the same sort of thing that has been plaguing 'normal' users for the last 2 years, except now, instead of locking down Word docs and photos, it's killing game save files.

    Betcha their ransom pay rate is way higher with gamers. Smart move, fuckers...

    --
    Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
    1. Re:So, it's the same thing by thegarbz · · Score: 1

      Looking at some of the games on the list I think I would pay them not to decrypt the files.

      Maybe play parents and kids off against each other. Keep having each party bid as to whether the son gets to spend his life playing WoW again.

  7. Sniper Elite 3 by TechyImmigrant · · Score: 1

    So long as they leave Sniper Elite 3 alone, I'm safe.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Sniper Elite 3 by TechyImmigrant · · Score: 1

      I guess you get two chances before you're out.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  8. Output of the human race spikes up momentarily by linear+a · · Score: 1

    While all the game files download again.

  9. Diablo?? by captain_nifty · · Score: 1

    It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...

    Seriously Diablo?? WTF is that a typo and supposed to be DIablo II or 3, are people still playing single player Diablo, a few years back I installed it in a VM to get some nostalgic gameplay and it was horrible.

    1. Re:Diablo?? by Whorhay · · Score: 1

      It could be Diablo 3 files though that'd be pointless as they could be just downloaded again. The saves for D3 are all kept on Blizzards servers, this possibly being the only upside for the consumer of their DRM scheme.

      Diablo 1 or 2 could make sense as those allowed for save games on your computer. However that seems rather pointless also as there has been software for decades now to create your own save files with all the equipment you could ever want.

  10. Bromium? by DiSKiLLeR · · Score: 1, Troll

    Are they a venture backed startup full of bronies?

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
  11. Re:Simcity? Does it go after my Simcity files? by He+Who+Has+No+Name · · Score: 3, Funny

    Yes, but compared to what EA did to the game, it causes hundreds of dollars in improvement.

  12. They just jumped the shark by spacepimp · · Score: 1

    Nobody is going to pay to get their saved game data back. Plus gamers have no money,.

    1. Re:They just jumped the shark by Whorhay · · Score: 1

      The demographics for gamers has been changing for a long while now. There is a large portion of that group that probably does lack disposable income to buy back save game files. But there is also a very large grouping that likely has money to ransom their save game files. I work with lots of 25-40 year olds that play video games and make proffesional white collar wages.

  13. Re:Simcity? Does it go after my Simcity files? by rogoshen1 · · Score: 1

    only if you type in swear words.

  14. Per file AES by OverlordQ · · Score: 1

    So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Per file AES by PRMan · · Score: 1

      If you can guess the exact contents of any 2 files, you should be able to reverse engineer the key. Probably impossible though.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:Per file AES by lister+king+of+smeg · · Score: 1

      So how does the whole per-file random AES key work? Since they're only shipping over the one 'key' parameter, the individual file keys have to be somehow deterministic right?

      or are all of the keys are stored in a encrypted keyring where the key they give you unlocks all of the keys in the keyring which then unlocks all of your files.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    3. Re:Per file AES by Anonymous Coward · · Score: 1

      The AES key used to encrypt the files is randomized per-file, so there shouldn't be any files encrypted with the same key. The AES key is pre-pended to each file encrypted by some flavor of asymmetric encryption (I think RSA but I'm not 100% on that). They download and use the 'public' half of the key on your computer, matching up with the private key on their own servers. You pay the ransom, it sends the private key to your computer and uses it to decrypt the individual AES keys, wham bam thank you sir.

      It's really ingenious, because short of snagging the AES key while it's actively encrypting the file there's really not any way to hack this.

    4. Re:Per file AES by OverlordQ · · Score: 1

      Ok, that makes more sense. That dual symmetric-asymmetric was missing from one of the writeups.

      --
      Your hair look like poop, Bob! - Wanker.
  15. not WoT! :( by ihtoit · · Score: 1

    out of all the games listed, that's the only one I actually play!

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  16. Javascript and Flash and Windows and IExplorer by DougPaulson · · Score: 1

    > Gosh. Javascript and Flash. Two great tastes that broke the web together.

  17. this may sound dumb by desdinova+216 · · Score: 1

    but doesn't WoW and all MMO games save all character data on the server?

  18. Re:VM by lister+king+of+smeg · · Score: 1

    It says this malware refuses to do anything if it detects VM. How to make my computer look like a VM?

    My first guess is install vmware tools so it looks like a guest os?

    I have actually wondered why they wouldn't check for things like that and use them as an attack vector for the host computer.

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  19. Oh no! Please don't encrypt my WoW files! by Sycraft-fu · · Score: 2

    I mean it isn't like it is an online game where Blizzard stores all your character data, key settings, macros and other stuff on the server! Oh, wait, yes it is.

    Seriously, why would they do WoW? You just run a repair in the Blizzard client, redownload any mods, and you are up and running. They do it so you can easily play on multiple computers.

    1. Re:Oh no! Please don't encrypt my WoW files! by Anonymous Coward · · Score: 2, Interesting

      WoW has bloated significantly over its lifespan. People with a slower Internet connection will have to wait quite a long time for it to re-download. All while paying Blizzard for access to a service they can't use. Not to mention WoW-addiction. Some might be tempted to pay to speed things up.

    2. Re:Oh no! Please don't encrypt my WoW files! by kit_triforce · · Score: 2

      This is why I still play RuneScape.

    3. Re:Oh no! Please don't encrypt my WoW files! by Mashiki · · Score: 1

      Well 5-6? expansions, new assets, and so-on will cause bloat.

      --
      Om, nomnomnom...
  20. Re:VM by mattventura · · Score: 2

    Looking at the Bromium report, it appears that it's checking for various drivers that Vm programs would typically install as part of their guest tools. It looks like if you were to install something as simple as the VMware mouse driver it would think you're in VMware. It also checks for Fiddler so you could simply install that.

  21. Dang.... by Ferretman · · Score: 1

    Gotta give them credit, that's clever.

    Ferret

    --
    Sic gorgiamus allos subjectatos nunc
  22. Which games now? by flopsquad · · Score: 1

    It targets files associated with single-user games Call of Duty, Star Craft 2, Diablo, Fallout 3...

    So this is how Tristram falls...

    --
    Nothing posted to /. has ever been legal advice, including this.
  23. Re: VM by DigiShaman · · Score: 1

    If it got installed in the first place, the damage is already done. It won't decrypt files on the way out of its own accord or via forced removal.

    --
    Life is not for the lazy.
  24. Steam Cloud to the rescue? by Jesus_666 · · Score: 1

    I wonder if Valve will expand the Steam Cloud in response. Steam already warns you on game launch if your savegames don't match what's in the cloud so broken savegames can be recovered as long as you don't sync. The flaw in that is that syncing happens whenever you exit the game so you'd have to force-kill Steam if you notice that everything is corrupt. (Perhaps this only applies if your game actually saved something but some games are very save-happy.)

    If Valve adds a simple versioning system, even if it just offers the current version and the one before that, crypto-ransomware will become completely useless against Steam titles.

    --
    USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  25. Re:Oh noooo. by RavenLrD20k · · Score: 1

    For you and me, this is a non-issue. Games are supposed to be fun. For my roommate who's a real achievement/gamerscore whore, I'd have to hear him bitching about him having to re-do all the back-bending he's done to get those obscure achievements. He goes after these things like he's actually making money off of them, instead of realizing that it's sucking his wallet and soul dry. For people like that, games are work; while they'll say they're having fun, their attitude doesn't show it one bit.