Gamers come in all ages and from all walks of life; they may or may not have files they feel are irreplaceable enough as to be tempted to pay a ransom to get those files decrypted. But what if it was your saved games, your mods, your DLC and your Steam account that was encrypted and held for ransom? That’s exactly what the crypto-ransomware TeslaCrypt is doing; in fact it targets over 50 file extensions related to video games including Steam, single and multiplayer games, and even game development software.
Although the ransom window which announces “your personal files are encrypted” may look like CryptoLocker, don’t be fooled. This is an attempt to cash in on CryptoLocker’s notoriety. This ransom note is what your desktop wallpaper looks like after being infected with TeslaCrypt. You are given three days to pay up.
Although TeslaCrypt targets 185 files extensions, including documents, photos and iTunes, Bromium Labs security researcher Vadim Kotov noted “it targets more file types associated with video games than we have ever seen.”
Kotov said the games are popular, but none of them are “top sellers” or “most played.” Yet some of those titles are on Steam’s “top sellers” list depending upon what titles are on sale. Around Christmas, when Steam had killer sales going on, you could pick up numerous titles from that list for as little as $5. So even if the games aren't new, when the price drops enough, then a flood of new users will start playing it.
Targeted games and gaming software
Bromium provided the full list of targeted games and affected gaming software:
Single User Games: Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin’s Creed, S.T.A.L.K.E.R., Resident Evil 4 and Bioshock 2.
Online games: World of Warcraft, Day Z, League of Legends, World of Tanks and Metin2.
Company Specific Files: Various EA Sports games, various Valve games and various Bethesda games
Gaming Software: Steam
Game Development Software: RPG Maker, Unity3D and Unreal Engine
According to Kotov:
Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music. Non gamers are also likely to be frustrated by these attacks if they lose their personal data.
Files are targeted by extension. Concretely these are user profile data, saved games, maps, mods etc. Often it’s not possible to restore this kind of data even after re-installing a game via Steam.
Seeing gamers targeted by ransomware was new to Bromium, but Bleeping Computer reported TeslaCrypt was discovered by Emsisoft in February. Nevertheless, Bromium explained how people are currently being infected with TeslaCrypt.
An unnamed compromised website, based on WordPress, is serving up malware via redirecting visitors to the Angler exploit kit by using a malicious Flash clip; the URL keeps changing as the criminals keep changing where the Flash file is hosted, Kotov explained. The ransomware scans for virtual machine driver files and “some anti-virus products” before dropping the Flash exploit. After a PC is infected, TeslaCrypt scans all drives, encrypts files and replaces the desktop wallpaper with a ransom note instructing the victim to install Tor in order to make the payment via a site in the Tor domain.
In a previous crypto-ransomware report, Bromium said targeted file types (pdf) usually include documents, images, audio and video files, source code, CAD design, databases, security-related files like password managers, key chains and certificates, archives, financial software from bank clients to account tools, backup files and others. TeslaCrypt targets the files types below.
Webroot also analyzed the ransomware and linked to a Pastebin post which includes a full list of files TeslaCrypt will encrypt; Webroot warned that “tools like decryptolocker.com are NOT going to work on this variant.” Although the crypt-ransomware GUI suggests “free decryption” if you click, “it’s just a lie; here is what you are presented with when you go to the decryption site and enter the bitcoin address it assigns you.”
As you can see by the amount, bitcoins are the preferred method of payment; 1.5 bitcoins is equivalent to about $415. Since bitcoin fluctuates, that was equal to about $430 at the time of writing this article. Choosing to give in and pay the ransom via two PayPal My Cash Cards makes the ransom about $1,000.
TeslaCrypt “allows you to decrypt one file for free to prove that they can indeed decrypt your files;” the ransomware also comes with “support.” Bleeping Computer added, “Last, but not least, the site includes a message system that allows a victim to communicate privately with the malware developers.”
Advising people not to pay the ransom is easy when it’s not your own files being held hostage. But really, you shouldn't pay. Please make sure to back up your files and store them on an external hard drive that is not plugged into your PC when you are online. Bromium warned you to “be also careful with your DropBox (or other cloud services). If you have folders synchronized with an online storage – malware will get to them too.”
There’s no guarantee you can restore files, but Bleeping Computer suggested, “Restore files from a backup or try restoring your files using Shadow Explorer or with a file recovery tool like R-Studio, Photorec, or Recuva.”