Impersonator of the WannaCry virus targets Russian "Enlisted" FPS players

Posted: June 15, 2023

Categories: Other

Tags: wannacry, trojan, russia, games, enlisted, cyber attack

Author: Npav Lab

Impersonator of the WannaCry virus targets Russian "Enlisted" FPS players

The Enlisted multiplayer first-person shooter is the target of a ransomware operation that spreads trojanized versions of the game to Russian gamers through a bogus website.

Given that the game is free, threat actors may easily download the publisher's installer, change it, and use it to disseminate malicious payloads to unwary consumers.

Between 500,000 and one million gamers actively participate in Enlisted, a legitimate game released by Gaijin Entertainment in 2021.

Using the malicious installer (Cyble)

The malware that comes with the installation of the game poses as the third major iteration of the infamous WannaCry ransomware, even using the .wncry file extension on encrypted data.

recruited by ransomware The new "WannaCry" variety is said to be built on the open-source "Crypter" Python locker, which was obviously created for instructional purposes, according to Cyble's researchers who examined the strain.

It should be noted that this is not the first time someone has tried to mimic WannaCry; most likely, this was done to terrify victims and get a rapid ransom payment.

Configuration file for ransomware (Cyble)

To prevent multiple running instances on the compromised computer, the malware produces a mutex during initialization.

The JSON configuration file is then parsed to identify the parameters of the attack, including the file types that will be targeted, the directories to be skipped, the ransom note to be generated, the wallet address to which the ransom will be sent, and more.

The Crypter ransomware then looks for a "key.txt" file to utilise in the encryption process in the working directory, and if it doesn't find one, it creates one.

Each locked file receives the ".wncry" filename extension and is encrypted using the AES-256 technique.

It's interesting that the ransomware doesn't try to kill processes or halt services, which is common practice in contemporary lockers.

However, it employs the conventional tactic of wiping out Windows' shadow copies in order to hinder simple data restoration.

The ransomware displays the ransom letter on a special GUI programme after the encryption process is complete, allowing the victim three days to heed the demands.

The GUI-based ransomware note (Cyble)

Even if the victim's antivirus software prevents the launch of the GUI-based ransom note, the threat actors nevertheless manage to convey their message by altering the background image of the victim.

Instead of using a Tor site or giving the victims access to a secure chat link, the attackers communicate with the victims through a Telegram bot.

Enlisted is one of the investigated alternatives as a result of national bans on popular FPS games in Russia, which have prompted local gamers to find elsewhere for enjoyment.

Threat actors seem to have seized this chance, and it's not improbable that they will make more fictitious websites for games with Russian localization.

Ransome note to user on the background screen (Cyble)

Sharing is caring!
Share

Tweet LinkedIn

← Previous Next →

Comment(s)