PewCrypt Ransomware Locks Users' Files and Won't Offer a Decryption Key Until - and Unless - PewDiePie's YouTube Channel Beats T-Series To Hit 100M Subscribers

The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data.

While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Re:No he did not

[Tailhook]

What the hell have you seen that would make him alt-right?

It's objectively easy to find. In the first 60 seconds of the latest PewDiePie video; "Shane vs Cat," which appeared two hours ago there is a graphic of the "NPC Wojak" meme. There is simply no way a meme lord like PewDiePie doesn't know that symbol is hated by SJW groupthinkers. This appears in the context of a "meme review" where he riffs on J.K. Rowling and the history of her various sops to 'progressive inclusivity.'

Personally I don't believe PewDiePie is particularly "Alt Right." He makes his living being somewhat edgy and irreverent and since the SJW/progressive worldview completely dominates every last square inch of everything, everywhere people like him aren't left with much to do unless they're saying things SJWs/progressives don't want to hear. Today that's all it takes to be branded "Alt Right."

Maybe he is actually going that way. What are you supposed to do when you find yourself threatened with platforming as an antisemite by a prevailing mentality that can find no fault with Ilhan Omar or Al Sharpton?

Bad crypto

[swillden]

Sigh, /. is dead. It's like none of the posters even looked at the code.

For anyone who's interested, the encryption used here is very poor. He leaves the mode and padding unspecified for both the asymmetric (RSA) and symmetric (AES) encryption operations. That causes the provider defaults to be used. In the case of the RSA step that's not terrible, since every provider I'm aware of uses PKCS#1 v1.5 padding. This isn't great, since PKCS#1 v1.5 is vulnerable to an adaptive chosen ciphertext attack, but in this usage that doesn't really matter.

The bigger problem is that AES typically defaults to ECB mode. Using ECB means that any repeated 16-byte blocks of plaintext will encrypt to identical 16-byte blocks of ciphertext. This can often expose enough structure to allow the file contents to be partially recovered. It's particularly bad in this case since the same key is used to encrypt all of the files. If AES were in any way vulnerable to brute force, this would almost certainly provide many "cribs" (known plaintext/ciphertext pairs) which could be used to discover the key and decrypt everything else. AES-256 is not, however, vulnerable to brute force, and won't be until computers are made of something other than matter and occupy something other than space (anyone catch the reference?).

Overall, I suppose the chosen encryption was adequate to the task, but it was very sloppy.

Do you think he'd accept a pull request to fix it up?

The minimum required changes are small. I'd use "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" for the RSA operation, just because, and "AES/GCM/NoPadding" for the AES op. It would also be necessary to get the IV (let the provider generate it) and prepend it to each encrypted file. The files would be 28 bytes larger (12 for IV, 16 for tag), but secure.

Also, I'd process files in chunks rather than reading a whole file into memory and then encrypting and writing it back out. It could then handle files of any size. His code just skips any files larger than 20 MB. That's actually the biggest flaw in the implementation; given file sizes today, lots of stuff would just be skipped. All of my RAW photos would be safe, for example. The JPEGs would get encrypted, but who cares about them?

Oh, one more problem: Most systems these days don't overwrite in place, so the plaintext file will be left on the drive, available for recovery. Granted that recovery is not trivial, but still, the data will be there. Fixing this would require doing something like filling the drive with garbage files, forcing the drive to overwrite all free blocks. Overwriting multiple times might be a good idea, too, though that's probably not necessary. Some systems offer free space shredding as a feature; on those that could be used to ensure destruction of the plaintext.

Re:Sure, here you go

[AmiMoJo]

hbomberguy did a video specifically about PewDiePie: https://youtu.be/GjNILjFters

Shaun is also very good, producing a lot of debunking videos.

Just waiting for the wave of videos about Lauren Southern to hit now, given that the Christchurch terrorist cited her "Great Replacement" conspiracy theory prominently in his manifesto, even using it as the title.