When ransomware developers achieve huge media buzz like we saw with the PUBG Ransomware, it is not surprising to see other developers creating copycats. This is the case with two new in-development ransomware programs, if we can even call them that, for both Minecraft and Counter-Strike: Global Offensive (CS: GO).

Discovered by MalwareHunterTeam, neither of these programs actually encrypt any files on the computer. Instead they just display a Window that waits for a particular game related program to launch. Due to their limited functionality, I wouldn't even call them ransomware if it wasn't for the title that they used in the Window.

MC Ransomware

The first one is MC Ransomware, which we expect will force a user to play Minecraft in order to decrypt their files if encryption functionality is ever added. MalwareHunterTeam found 11 different samples of this infection, but when I checked them, the differences were minor between the first and latest one where they fixed a bug in the process detection routine.

MC Ransomware (MineCraft)
MC Ransomware (MineCraft)

Right now it just sits there waiting for someone to run an executable that is not MinecraftLauncher and that contains the string "Minecraft" in it. Once a program that contains the string is executed, the status text will change to "Playing minecraft". Like the PUBG Ransomware, you can name any executable as minecraft.exe and it will trigger the detection.

MC Ransomware Process Check
MC Ransomware Process Check

CSGO Ransomware

The second variant is called CSGO Ransomware and it waits for an executable that contains the string "csgo" to be executed. This program had 7 different variants, with the latest one fixing a bug in the amount of time played being displayed.

CSGO Ransomware
CSGO Ransomware (Counterstrike: Global Offensive)

Its code, shown below, will properly detect any executable with the string "csgo" in it and increment a timer that is displayed on the screen showing how much time you played the game.

CS: GO Process Check
CS: GO Process Check

Like MC Ransomware, this program does not encrypt anything.

Ransomware is not a joke

As much as people may find it funny to create programs like this, ransomware is not a joke. Too many businesses and people are harmed by these types of infections and to create this type of program for "educational" purposes or to impress your friends is just irresponsible.

Forget about the fact that someone may accidentally run it and have no idea what to do afterwards, it could have serious legal ramifications for the creator. If a joke ransomware is accidentally, or purposely, installed to a machine and they file a complaint with law enforcement, your little joke may land you in jail.

Be smart people. Don't create malware for educational and joke purposes. No good can come out of it.

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens


MC Ransomware Hashes:

2d1eb5797b8fbcbea8462b470da343ba95d545808d83f71b8763e1daf7648b14 - 2018-04-17 12:02:21 UTC
92311f839fbc21568323a3ec53c9c16d6febcf593c301c3263e453c62c1a4913 - 2018-04-17 12:02:09 UTC
6cdacbc0c3a6c2aca98210bd16b76d2bf2740c8c67606f62203592f290fac76e - 2018-04-17 12:02:09 UTC
1c565d978f3fe2b259af7d06cdb3651afee200a580a04b2b6fb856a4d986306b - 2018-04-16 09:54:34 UTC
2b9a684946c626f525f96b45c00514d6523821fa5031fc2042ef21d0069ebdbb - 2018-04-16 09:49:44 UTC
066231686b4634081736ef2f51e83cc69cc01db203967a88f7ff7d9fa84984f8 - 2018-04-16 09:44:49 UTC
68eadde62a0c5baa44484194f62fc80ec5e27b8581f3219fecc0ccb92c4c4d75 - 2018-04-17 07:46:00 UTC
3b02d16e71307f5b80d45ba04610be6c12e7a523ccb704f8a2478a213a15e86b - 2018-04-17 07:45:41 UTC
e5d8e5e967ca27c012e15f8a675feddeaa189176cb0e237f99fdbbb9a4bad6c3 - 2018-04-17 07:40:23 UTC
72d103eb07d8d8b9fb4a1cbb12b20716936b97574d688631956dc7becabbd784 - 2018-04-17 07:40:21 UTC
1ec96281a57a01a6415662f44a9b96a2f00488beae12c5c730cfa96b63abd42c - 2018-04-17 07:40:18 UTC

CSGO Ransomware Hashes:

8bc877003404b1bd51bc1d614c5c3f27151633b06c43c5fba73f61ef7fc88dfa - 2018-04-17 08:45:33 UTC
8522f0a546fe566529f48b67c8d92d5cab82fe67471249097b3b0b095fe1a154 - 2018-04-17 08:45:23 UTC
7d8929ef41ecfa871779c8a41028d3339023472b6845263d1324703551675668 - 2018-04-17 08:35:01 UTC
e8b3dc551d14fc9ed2da1405b34cec5ba17abf7b1bd60266501cd6c903163050 - 2018-04-17 08:35:00 UTC
40b851137f18e50c182c3a303ac97005a75edc6e470434e14535255c7a34aec6 - 2018-04-17 08:34:55 UTC
658708957da960774321d1272443f78992de56ce66a739a990944267200465e9 - 2018-04-17 08:29:15 UTC
7119237f48aadb9a87389b2252fbd28fa69384a91a49c8d14f3900311ce84d1b - 2018-04-17 08:23:28 UTC