Pokemon GO Ransomware Leverages Game's Success to Install Backdoor Access Accounts on Victimized Windows PCs
Pokemon GO is the newest craze to reach smartphones and mobile devices around the world. While the success of Pokemon GO is unprecedented, cybercrooks are leveraging that success to wage war on computer's through a newly-formed Pokemon GO Ransomware that installs Windows administrator backdoor access accounts on victimized computers.
First discovered by computer security researcher, Michael Gillespie (Twitter account: @demonslay335), the Pokemon GO Ransomware is a work in progress that is distributed as a Windows executable file. The executable file, PokemonGo.exe, appears to have a Pikachu icon, which is reminiscent to one of the main Pokemon characters on the popularized game. Use of the executable file immediately starts a file encryption process, much like what takes place with encryption-type ransomware that we discover on a daily basis. From there, Pokemon GO Ransomware adds a registry key and hides a Windows admin account called "Hack3r," which is believed to provide a gateway for outside or remote users to gain access to the infected Windows PC.
Computer security researcher, Michael Gillespie's Tweet identifying Pokemon GO Ransomware
#HiddenTear #Ransomware masked as @PokemonGoApp, sad Pikachu included. Note هام جدا.txt: https://t.co/UcoHYblx7g pic.twitter.com/xXO8f8nTZs
— Michael Gillespie (@demonslay335) August 12, 2016
Looking into the makeup of Pokemon GO Ransomware, it appears to be a threat that is under development as it isn't a complete rendition of encryption ransomware when compared to the countless number of other threats we have identified in the past. Researchers are assured that Pokemon GO Ransomware is in a testing version due to its encryption key being static and set to "123vivalalgerie," which can be actively used as of now to decrypt files that were encrypted upon execution of the PokemonGo.exe file. Moreover, the ransomware attempts to connect to a command & control server at the IP address of 10.25.0.169, which cannot currently be reached.
The ransomware notification from Pokemon GO Ransomware is written in Arabic with a provided email address of blackhat20152015@gmail.com accompanied with the following rough-translated words:
(: Your files have been encrypted, decoding Falaksa Mobilis following address me.blackhat20152015@mt2015.com and thank you in advance for your generosity
Naturally, due to the crazy and hype surrounding the Pokemon GO mobile app game, computer users may be intrigued by the Pokemon GO Ransomware executable file, which may entice users to click on it to open it up. We believe, along with many other computer security researchers, that Pokemon GO Ransomware is a work in progress that could eventually become a dominant force in the ever-growing world of encryption ransomware.
Currently, computer users who encounter Pokemon GO Ransomware and have it loaded on their computer are advised remove the threat and seek Michael Gillespie for the current decryptor key to decrypt files encrypted by the malware. Otherwise, Pokemon GO Ransomware loaded on a Windows computer could enable and open an account for backdoor access, which may eventually lead to a remote hacker infiltrating an infected computer to pilfer data.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.