Home Malware Programs Ransomware HeroesOftheStorm Ransomware

HeroesOftheStorm Ransomware

Posted: September 15, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 21
First Seen: September 15, 2017
Last Seen: June 12, 2022
OS(es) Affected: Windows

The HeroesOftheStorm Ransomware is a variant of the Hidden Tear file-locking Trojan. Unlike most releases from this family, the HeroesOftheStorm Ransomware doesn't ask the victim for ransom payments, and, instead, demands that they log a play session of the Heroes of the Storm video game. Since this Trojan's decryption feature is fraudulent, victims should use other methods of restoring their files, along with anti-malware products for removing the HeroesOftheStorm Ransomware safely.

The Storm that's Coming for Your File

The people who invest even a minor amount of time into designing Trojans with file-locking features almost always do so for making financial gains out of their attacks. This rule of thumb sometimes is belied, however, by threat actors like the designer of the HeroesOftheStorm Ransomware, a minor variant of the Turkish Hidden Tear. Although the HeroesOftheStorm Ransomware shows the standard file-locking functionality that malware experts come to expect, it also has a unique 'ransom' demand: asking its victims to play video games.

All samples of the HeroesOftheStorm Ransomware available for analysis are both unfinished, and buggy and the Trojan is likely to crash with generic error messages before completing its payload. However, its working encryption feature, based on Hidden Tear's code, uses an AES cipher to encode and block formats of media such as JPG, DOC or GIF. Malware experts can verify that the HeroesOftheStorm Ransomware attacks only a 'test' folder on the desktop currently, which is a typical condition for threat actors who aren't ready to deploy their file-locking threats in public-distributed campaigns.

Related features that the HeroesOftheStorm Ransomware may crash before displaying include a pop-up window that the Trojan themes after Blizzard's Heroes of the Storm multiplayer game, and text messages asking the users to play the game for twenty-four hours to decrypt their files. While the HeroesOftheStorm Ransomware claims that it records all live play time automatically, malware analysts can verify that the Trojan has no features related to monitoring the user's program usage, including whether or not Heroes of the Storm is open or playing a live match.

Finding the Heroism to Brave Stormy Weather

The HeroesOftheStorm Ransomware is not a product or affiliate of Blizzard Entertainment and, based on its poor quality of code, is in development with a threat actor without much experience in the Black Hat software industry. Despite that background, its encryption code is a working derivative of the same features of Utku Sen's Hidden Tear. This function makes the HeroesOftheStorm Ransomware into a potential data saboteur for all PC users who don't back their files up to a secondary location, such as a detachable storage device or a cloud service. Victims without backups can contact an appropriate AV security researcher for insight into the decryption process for the Hidden Tear family.

This Trojan also is an example of how threat actors use social engineering to trick the users they attack into taking actions that aren't in their best interests. Since the HeroesOftheStorm Ransomware can't monitor your gaming activities, its file-unlocking instructions are, at best, a frivolous waste of the victim's time. Any threats capable of accomplishing this feature also would be able to collect information, such as passwords. As a general precaution, malware experts advise disabling any Internet connection before uninstalling the HeroesOftheStorm Ransomware with dedicated anti-malware programs, in all cases.

The fun and games of a Trojan's developer are often more of a headache for the users dealing with it. Jumping through arbitrary hoops for threats like the HeroesOftheStorm Ransomware is a losing proposition, no matter what your gaming lifestyle might be.

Loading...