Today everybody is crazy about the well-loved game Pokemon Go implying augmented reality. People of any social status are involved in playing the game. That’s why cybercriminals decided not to miss an opportunity and trap the users. Moreover, the game was defined as a target.
Michael Gillespie, a security researcher, found out fake app Pokemon Go for Windows that is supposed to be a ransomware. It is capable of encrypting files as well as creating the backdoor of the whole system.
Ransomware has similarities with Hidden Tear that has been published on GitHub by researcher Utku Sen with a focus on education. According to the data from Bleeping Computer, it deals with Arabic speaking users.
At first the ransomware seems to be the same as the other software. When the file is installed, it starts searching files with such name suffixes as .txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png. If it is found, malware encrypts the content adding “.locked”. Besides, the picture of Pikachu and the email of the attacker are displayed.
As a thoughtful analysis has shown, ransomware blocks the access to the files as well as create new admin account with the name Hack3r allowing to get access to the system. Moreover, such options as replication and creating of network share are provided.
By a number of measures, the scumware is still being developed. In particular, the use of the static encryption key “123vivalalgerie” approves the idea. Probably, the ultimate product will emit an optional key and download on the attacker’s server.