By Pasha Pal, Technology Leader, Check Point
With an estimated 20 million daily users in the US alone the popularity of the Nintendo based app, PokemonGo was bound to capture the attention of the cyber underworld. There have been a variety of variants of the methods used to harness the global uptake of the augmented reality game with the first, PokemonGo Ransomware having been followed quickly by DetoxCrypto.
Both are ransomware Trojans that trick gamers into downloading what the authors claim to be a PC version of the game, called pokeomongo.exe.
Both viruses then attempt to encrypt data on the victims device with the former being a version of the Hidden Tear, “educational”, ransomware.
Both share similar features, PokemonGo Ransomware creates a hidden user account, called “hack3r”.
The virus starts by launching an executable 14104.exe file which is saved to the Windows Startup Folder in order to ensure that it launches on reboot. The original pokemongo.exe file then launches a replica of itself to encrypt the data on the host device as well as a further duplicated that is stored on the secondary drive and stored to the windows registry key. This latter step ensures that the cycle is perpetuated and is further enhanced by creating yet another executable file in the Windows Startup Folder (7550.exe).
Once the encryption has been completed a text file (in Arabic) is created which contains the ransom payment information but does not open automatically. After this process has been completed, the hidden user, “hack3r”, is removed from the login screen and the ransomware stays dormant until the system is rebooted.
When the device is rebooted, three files are launched (14104.exe, 7550.exe and pokemongo.exe) displaying a screensaver with the ransom message.
Lastly, the perpetual process will continue to run in the background to look for new files to encrypt.
As ever, vigilance is the key to avoiding infections like these and ensuring that your cyber security systems are kept up to date.