When ransomware developers achieve huge media buzz like we saw with the PUBG Ransomware, it is not surprising to see other developers creating copycats. This is the case with two new in-development ransomware programs, if we can even call them that, for both Minecraft and Counter-Strike: Global Offensive (CS: GO).
Discovered by MalwareHunterTeam, neither of these programs actually encrypt any files on the computer. Instead they just display a Window that waits for a particular game related program to launch. Due to their limited functionality, I wouldn't even call them ransomware if it wasn't for the title that they used in the Window.
Looks like someone saw the PUBG ransomware and thought it is a good idea to create these...— MalwareHunterTeam (@malwrhunterteam) April 18, 2018
It is boring...
Anyway, both aren't encrypting (at least for now).@BleepinComputer @demonslay335 pic.twitter.com/aKVAiCxflK
The first one is MC Ransomware, which we expect will force a user to play Minecraft in order to decrypt their files if encryption functionality is ever added. MalwareHunterTeam found 11 different samples of this infection, but when I checked them, the differences were minor between the first and latest one where they fixed a bug in the process detection routine.
Right now it just sits there waiting for someone to run an executable that is not MinecraftLauncher and that contains the string "Minecraft" in it. Once a program that contains the string is executed, the status text will change to "Playing minecraft". Like the PUBG Ransomware, you can name any executable as minecraft.exe and it will trigger the detection.
The second variant is called CSGO Ransomware and it waits for an executable that contains the string "csgo" to be executed. This program had 7 different variants, with the latest one fixing a bug in the amount of time played being displayed.
Its code, shown below, will properly detect any executable with the string "csgo" in it and increment a timer that is displayed on the screen showing how much time you played the game.
Like MC Ransomware, this program does not encrypt anything.
As much as people may find it funny to create programs like this, ransomware is not a joke. Too many businesses and people are harmed by these types of infections and to create this type of program for "educational" purposes or to impress your friends is just irresponsible.
Forget about the fact that someone may accidentally run it and have no idea what to do afterwards, it could have serious legal ramifications for the creator. If a joke ransomware is accidentally, or purposely, installed to a machine and they file a complaint with law enforcement, your little joke may land you in jail.
Be smart people. Don't create malware for educational and joke purposes. No good can come out of it.
2d1eb5797b8fbcbea8462b470da343ba95d545808d83f71b8763e1daf7648b14 - 2018-04-17 12:02:21 UTC 92311f839fbc21568323a3ec53c9c16d6febcf593c301c3263e453c62c1a4913 - 2018-04-17 12:02:09 UTC 6cdacbc0c3a6c2aca98210bd16b76d2bf2740c8c67606f62203592f290fac76e - 2018-04-17 12:02:09 UTC 1c565d978f3fe2b259af7d06cdb3651afee200a580a04b2b6fb856a4d986306b - 2018-04-16 09:54:34 UTC 2b9a684946c626f525f96b45c00514d6523821fa5031fc2042ef21d0069ebdbb - 2018-04-16 09:49:44 UTC 066231686b4634081736ef2f51e83cc69cc01db203967a88f7ff7d9fa84984f8 - 2018-04-16 09:44:49 UTC 68eadde62a0c5baa44484194f62fc80ec5e27b8581f3219fecc0ccb92c4c4d75 - 2018-04-17 07:46:00 UTC 3b02d16e71307f5b80d45ba04610be6c12e7a523ccb704f8a2478a213a15e86b - 2018-04-17 07:45:41 UTC e5d8e5e967ca27c012e15f8a675feddeaa189176cb0e237f99fdbbb9a4bad6c3 - 2018-04-17 07:40:23 UTC 72d103eb07d8d8b9fb4a1cbb12b20716936b97574d688631956dc7becabbd784 - 2018-04-17 07:40:21 UTC 1ec96281a57a01a6415662f44a9b96a2f00488beae12c5c730cfa96b63abd42c - 2018-04-17 07:40:18 UTC
8bc877003404b1bd51bc1d614c5c3f27151633b06c43c5fba73f61ef7fc88dfa - 2018-04-17 08:45:33 UTC 8522f0a546fe566529f48b67c8d92d5cab82fe67471249097b3b0b095fe1a154 - 2018-04-17 08:45:23 UTC 7d8929ef41ecfa871779c8a41028d3339023472b6845263d1324703551675668 - 2018-04-17 08:35:01 UTC e8b3dc551d14fc9ed2da1405b34cec5ba17abf7b1bd60266501cd6c903163050 - 2018-04-17 08:35:00 UTC 40b851137f18e50c182c3a303ac97005a75edc6e470434e14535255c7a34aec6 - 2018-04-17 08:34:55 UTC 658708957da960774321d1272443f78992de56ce66a739a990944267200465e9 - 2018-04-17 08:29:15 UTC 7119237f48aadb9a87389b2252fbd28fa69384a91a49c8d14f3900311ce84d1b - 2018-04-17 08:23:28 UTC