An open-source ransomware variant (detected by Trend Micro as RANSOM.MSIL.SYRK.A) is being used to target players of Fortnite, an online video game with 250 million gamers as of March 2019. In a research by Maharlito Aquino and Kervin Alintanahin of Cyren, the ransomware was found pretending to be a cheat tool that improves the accuracy of a player's aim (aimbot) and provides visibility over other players’ location on the map. If a player downloads and executes the file, images, videos, music, and documents stored on the victim’s computer will be encrypted by a ransomware variant that calls itself “Syrk.”
How the ransomware works
Researchers discovered that the open-source ransomware is actually based on the source code of the Hidden-Cry ransomware, which was made available on Github at the end of 2018. If gamers download the 12MB executable file named SydneyFortniteHacks.exe, their files will be encrypted and appended with the .syrk file extension.
Upon infection, the ransom note will demand payment from victims in exchange for a decryption password. The note also warns that their photo folder, followed by the desktop files, will be deleted if payment isn't made within two hours.
Surprisingly, the researchers also discovered that the encrypted files can be saved using decryption tools that can also be found in the victim machine. One of the resources embedded in the main malware is dh35s3h8d69s3b1k.exe, which is actually a Hidden-Cry decrypting tool. Because the key used is already known, it can be used to create a PowerShell script based on the Hidden-Cry decryptor’s shared source.
An attractive cybercriminal target, the community of Fortnite gamers must remain vigilant against schemes that may seem too good to be true. Since malware authors continue to deploy new evasion tactics and experiment with new distribution methods, users and businesses must stay on their guard. To better defend against ransomware variants such as Syrk, they can adopt the following best practices:
- Regularly back up files and ensure the integrity of these backups.
- Software, programs, and applications must be updated regularly to protect against the latest vulnerabilities.
- The principle of least privilege must be enforced to reduce the attack surface. This can be done via securing the use of system administration tools and restricting and assigning only the necessary privileges to user accounts.
Trend Micro ransomware solutions
Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware. At the endpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery™ Inspector detects and blocks ransomware on networks, while the Trend Micro Deep Security™ solution stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud. Trend Micro Deep Security, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.
Email and web gateway solutions such as Trend Micro Deep Discovery Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report