CS:GO Ransomware

Posted: April 26, 2018

The CS:GO Ransomware is a Trojan that generates pop-ups asking that its victims play Counter-Strike: Global Offensive to reverse its attacks, which may include encrypting, deleting, or otherwise damaging your files. While its file-ransoming features aren't complete, most users should keep backups of any media that they wish to preserve against attacks of this nature. A standard anti-malware product may remove the CS:GO Ransomware safely and immediately after detecting it.

Trojans with Your Files Lined Up in Their Iron Sights

The theme of video gaming as a side note in extorting money by taking files hostage is one that's remaining relevant to modern media-ransoming Trojans, as malware experts saw with the RansomMine Ransomware and the PUBG Ransomware, and see, anew, with both the CS:GO Ransomware and its clone, the MC Ransomware. The Counter-Strike Go-branded the CS:GO Ransomware is the product of Finnish threat actors at NATroutter.net and offers game time as an apparent alternative to paying ransoms like Bitcoins. Its high activity in threat databases implies that the authors are seeking to develop the Trojan into one that evades common anti-malware analysis techniques actively and successfully.

Although the CS:GO Ransomware doesn't lock or delete your files, for now, the widespread and free availability of the resources for accomplishing such attacks (for instance, via Hidden Tear's source code) is a matter of public record. Threat actors could add a simple, data-encrypting feature that locks the user's documents, pictures, and other files with minimal effort, after which, the CS:GO Ransomware loads its pop-up, which is the only feature that malware experts are verifying as functional. The message window displays a prompt encouraging the victim's playing Counter-Strike, a screenshot from that program and a label promoting the noted website.

The CS:GO Ransomware, and the MC Ransomware are nearly identical to each other and differ due to promoting different games primarily, with the MC Ransomware preferring Minecraft. Opening and playing the associated game may or may not give the victims an unlocked decryption feature that restores their files. As a rule, malware experts suggest not following the instructions dropped by threats like the CS:GO Ransomware, especially if backups are available.

Striking Back against a Counter-Strike Trojan

Since its authors are engaged in developing and testing the CS:GO Ransomware and its relative, the MC Ransomware actively, many details of its upcoming campaign remain in flux. Some of the most relevant distribution exploits that malware researchers recommend watching for include:

E-mail attachments may drop Trojans like the CS:GO Ransomware onto your PC by abusing in-document macros or mislabeling an installation executable as another format (such as a PDF document).
File-sharing sites and networks, ones trafficking in illicit content particularly, may disguise Trojans like the CS:GO Ransomware as another download kind, such as a top-selling game, crack or cheat engine.
Some EKs like the RIG Exploit Kit and the Nebula Exploit Kit also employ drive-by-downloads that install file-locking threats highly similar to the CS:GO Ransomware. An unprotected Web browser may load these vulnerabilities automatically after any exposure to a corrupted website.

Besides implementing the standard security precautions against these attacks, users can best protect their documents and other media by backing them up to other devices. Any quality anti-malware product also should delete the CS:GO Ransomware without any problems.

The CS:GO Ransomware's ransoming method may seem friendlier than demanding money for your files, but that doesn't lessen the risk to your digital media. As cyber-crooks grow bolder in demanding arbitrary actions from those whom they attack, the average PC owner will need to be even more cautious about what downloads they trust.