PUBG ransomware wants you to play, not pay

An unusual ransomware, associated with computer game PlayerUnknown’s Battleground, has been uncovered by researchers, dubbed MSIL/Filecoder.HD by ESET.

Researchers have discovered a new piece of ransomware that holds the victim’s files hostage. This one, however, comes with a rather peculiar demand in return for recovering the files, according to a Bleeping Computer report citing research by MalwareHunterTeam.

When executed, this ransomware – called “PUBG Ransomware” and detected by ESET as MSIL/Filecoder.HD – encrypts files and folders “only” on the user’s desktop and adds the .PUBG extension to them.

Then, a splash screen is displayed that contains the ransom note. It turns out that, in order to set the victim’s digital belongings free, all that the rather benign ransomware wants from the user is for them to spend an hour playing a game called PlayerUnknown’s Battlegrounds (commonly known as PUBG, hence the ransomware’s name).

Or so the ransom note says. In fact, however, it was found that simply running the PUBG-associated executable for three seconds is enough to trigger the decryption.

Either way, if you’re not in the mood to even touch the game, the ransomware seems to let users off the hook: the ransom message includes the “restore code” apparently with no strings attached.

PUBG-ransomware-screenshot.png
Ransom note

An analysis showed that the ransomware keeps tabs on processes running on the computer and checks if a process called “TslGame” is run. TslGame is apparently triggered whenever PUBG is launched, providing a way for the ransomware to determine, albeit somewhat simplistically, if the victim is playing ball. It’s unclear yet, how this ransomware is being spread.

We reported in our mid-year review of last year’s cybersecurity landscape on another piece of ransomware that demanded that the user play a game. That creation, called ‘Rensenware’, required the victim to get a high score, at the “lunatic” level of a Japanese PC game in order to get their files back.

All told, however, these curious tales should not detract from the magnitude of the threat that ransomwarerepresents at present. Campaigns from not long ago are a stark reminder of how much damage extortioncampaigns can wreak.

ESET Senior Research Fellow David Harley is keen to point out that this incident should not be treated lightly, “While this program has been referred to as ‘what could only be a joke’, it’s not really that funny. For a start, messing with a victim’s data might conceivably go horribly wrong in some circumstances – it doesn’t sound to be an impeccably well-coded program – we saw this time and time again in the heyday of the virus, where malware written by hobbyist virus writers had some (presumably) unintended but unfortunate effect. In any case, seeing a message like this could cause a victim serious concern, if they didn’t understand exactly what was going on.
Even more important, this still looks to me like activity that would be regarded in principle as criminal in most jurisdictions, since it involves unauthorized access and modification. The fact that it probably wasn’t meant to be malicious doesn’t mean that it shouldn’t be taken seriously. The next such ‘joke’ might turn out to be even less humorous”.

written by Tomas Foltyn, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s