Ransomware now targeting PC Games

I don't know if people on here are aware of this yet, but you should be if you play PC games.

Bromium Labs recently discovered (or rediscovered) a variant of Cryptolocker (called Teslacrypt), a real nasty piece of ransomware that targets specific games now (as well as pretty much all of Steam itself from the sounds of it).

http://www.zdnet.com/article/new-cryptolocker-ransomware-targets-gamers/

http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/ (a Forum thread on Bleeping computer from a few weeks ago where this may have first been revealed)

http://www.neogaf.com/forum/showthread.php?t=704302 ( A Gaf thread from 2013 about vanilla cryptolocker)

Affected games and software according to Bromium, (and I'm quoting them here for the list if the forum post doesn't make it clear)

http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/

1. Single User Games

   • Call of Duty
   • Star Craft 2
   • Diablo
   • Fallout 3
   • Minecraft
   • Half-Life 2
   • Dragon Age: Origins
   • The Elder Scrolls and specifically Skyrim related files
   • Star Wars: The Knights Of The Old Republic
   • WarCraft 3
   • F.E.A.R
   • Saint Rows 2
   • Metro 2033
   • Assassin’s Creed
   • S.T.A.L.K.E.R.
   • Resident Evil 4
   • Bioshock 2

2. Online Games

   • World of Warcraft
   • Day Z
   • League of Legends
   • World of Tanks
   • Metin2

3. Company Specific Files

   • Various EA Sports games
   • Various Valve games
   • Various Bethesda games

4. Gaming Software

   • Steam

5. Game Development Software

   • RPG Maker
   • Unity3D
   • Unreal Engine

Ransomware, if you are not familiar with it , can be very very nasty stuff. General concept is that this malware encrypts a program of yours unless you pay the jerks who wrote it a ransom (usually by bitcoin), hence "ransomware". Or of course unless you actually find a way to remove it, which unsurprisingly is often very difficult to do. I don't know if paying them the ransom will actually restore anything, I suspect not.

The malware often attempts to pose as your local law enforcement in an attempt to scare you to comply with the ransom, as well as having a prominent destruction timer treating to destroy the key to unlock your files if you don't pay by X date/time. Nasty stuff and mean spirited.

This particular Ransomware seems to be unfortunately using a Flash exploit in some banner ads and Torrents as a vector for infection.

I think it's probably a very good idea to disable or remove Java and Flash if you don't need them (you can re-enable them for sites you trust) , don't use IE if at all possible and of course make backups of all your files regularly to a drive that isn't continually attached to your PC.

Thanks for the heads up, as long as they stay away from cities skylines, I'll be ok

Will ABP help any in avoiding this?

EDIT: My mistake, I misunderstood that this seems to only be affecting Opera and IE right now.

I think it can brick your entire Steam library if I read the analysis right.

from the the bromium labs report

Files are targeted by extension. Concretely these are user profile data, saved games, maps, mods etc. Often it’s not possible to restore this kind of data even after re-installing a game via Steam.

It seems like a combination of only using Chrome, always using Adblock Plus, and never using torrents should help me avoid this, but I'll keep it in mind. Sounds like a real bitch to remove.

What about a combination of chrome, ad block and ghostery, should I be good with that setup?

Things like this are why I have system images automatically created daily. In the rare instance I encounter a malware problem, I simply flash my drive back to the previous day (or even farther back if I need to) and it's as if nothing ever happened.

Well, that's interesting. A computer virus targeted at steam games? Legit ones? Like, not pirated software or crappy DRM, like we are going too harass you for buying games? I don't get the logic but okay. Sure. Whatever makes you feel good jerks. I highly doubt this is going to spread too far if EA and Steam are at risk. Money down they have counter measures out in a week or two before customers start suing them over they're purchases, PC's and Bank accounts getting busted.

But that aside! I love when crazy new viruses or "ware" crap like this pops up! It's always a good time to flex my hacker muscles and knock these guys down a peg by writing my own antivirus programs and sending the files back at them or directing they're ip or identity to someone with more connections than me and watching what unfolds.

Best of luck to anyone who get's this early before there's any way to efficiently deal with it.

@therealmoot The logic is simply 'fuck everyone else, this will be amusing.' Hardly surprising in this day and age, but still a huge downer for everyone else.

I work in IT for a company that has had Day 0 virues for Cryptolocker and Cryptowall 3.0 and I can firmly state that this shit sucks. Cryptowall especiallly since it required the purchase of bit coins from shady sites and on top of that the Federal Goverment shutdown routing to the site to get the private encryption key prior to us being able to purchase the key back.

This stuff can come from anywhere but the fact that it is targetting games isn't that surprising. Just be careful where your and how you browse and possibly switch to Chrome for the brief interim.

@crembaw: I think the logic might be "We want people to give us/our Russian gangster clients hundreds of dollars in easily-laundered Internet currency."

Well, possibly. Though to be honest they could have just bet on that auction the FBI did a few weeks ago.

This shit right here is why I use adblockers and scriptblockers. Website ads even on legitimate sites can be filled with all sorts of really nasty scripts.

I think they might be vastly overestimating how attached people are to their game saves, of all things.

I'm wondering though, how is this exactly propagating? Is it coming through the actual steam client or somehow infecting games that have launchers that pull assets from the web?

Wow, good heads up

They're not expecting everyone to pay them, of course. That's why the ransom is so high, because then they only need a few "whales" who are in the 90th percentile of gullibility/being a crazy person. The same users who, conveniently, are the most likely to get malware.

Plus, it sounds like they already encrypt lots of other data on your computer that may be actually important. By targeting games, they are now just casting the net a bit wider.

For the first time in ever, I'm glad to be a console exclusive gamer. This is some scary, shitty stuff.

It doesn't have anything to do with Steam or Steam games. This ransomware is not distributed any differently than any other virus or malware, the only difference is that now the software is encrypting files from popular games. That's it. Computers are infected by code on malicious sites, by users downloading files from untrusted sources, and all the typical vectors that most people know to avoid. You are not going to get a virus by using your Steam client and playing Steam games.

This is almost a non-story, really, although of course it doesn't hurt to raise awareness of malware in general. This type of attack and ransomware has been around for years, but there has just been a slight update to the tactics these people are using and the files they are targeting once systems have been compromised.

@crysack: Considering this happened to a buddy of mine around 3 months ago. It wasn't losing the saves which were the problem, it was losing photos and other information.

Huh. As silly as it sounds, pretty much everything "important" that I have is backed up to the cloud now. Not even intentionally, really, just by virtue of using services like Google docs and having an Android phone. And most of my Steam games backup save games to the cloud too. If you're just a PC gamer, I don't think you really have to worry too much -- chances are you're not even going to lose your saves and you can just redownload the actual game data files. It's interesting that stuff like World of Warcraft is on that list: what's it gonna target, your custom configuration settings and UI extensions?...

Compared to, say, account phishing and actual keyloggers, this stuff isn't even on the radar. I'd much rather have this stuff on my PC than get my credit card number stolen or my bank accounts broken into.

Hey brother! It sounds like you and I have the same exact approach. I do like to introduce a little danger though, so i do keep a copy of firefox without adblock for special occasions.

I'd never pay. I rather loose a save for a game. I mean you can always reinstall the game.