The Posting of a Ransomware Lure on Japanese Minecraft Forums
Gamers create “alt” (alternative) accounts in Minecraft for a variety of reasons (both good and bad), including the ability to antagonize/troll other players without having their main account banned, providing cover for an alternative in-game identity/personality, avoiding having their main account banned for using cheats (gaining an unfair advantage over other gamers), and so on. FortiGuard Labs detected a Chaos ransomware variant concealed in a file ostensibly containing a list of “Minecraft Alt” accounts, implying that the campaign is aimed at Japanese Minecraft players.
Alt Lists feature stolen accounts that gamers can use to accomplish the acts described above, despite the fact that they are frequently made public through Minecraft online forums. That’s what the criminals behind this ransomware attack are relying on to get victims to open and download the file.
The file is an executable in this example, but it has a text icon to trick potential victims into thinking it is a text file containing compromised Minecraft usernames and passwords. While we don’t know how this particular false list is being spread, it’s a reasonable bet that it’s being sold on Japanese Minecraft communities.
How Does the Executable Function?
When the executable file is opened, the malware looks for files on the compromised machine that are smaller than 2,117,152 bytes and encrypts them. It then appends four random characters from “abcdefghijklmnopqrstuvwxyz1234567890” as a file extension to those files.
However, files greater than 2,117,152 bytes with specific file extensions are filled with random bytes, so even if the ransom is paid, the victim will not be able to recover those files. This damaging component distinguishes this attack from normal ransomware attacks and is a very concerning feature.
It’s unclear why the malware developers chose these file sizes, or why they chose to encrypt some files while destroying others. However, it’s worth noting that Chaos was first categorised as a wiper malware, with the ransomware component added afterwards.
Following the attack, a ReadMe.txt file is dropped, instructing the user to pay a ransom in bitcoin or pre-paid cards. The requested amount to decrypt the files is 2,000 yen (about $17), which is extremely low when compared to the amounts demanded by other ransomware operations. The attacker’s demand for a pre-paid card is not specified in the ransom message. Convenience stores sell a variety of pre-paid cards (for online shopping, gaming, music, mobile phone charges, and online streaming services). More than 50,000 convenience stores sell pre-paid cards in Japan, with the majority of them open 24 hours a day, seven days a week.
The ransom note also claims that the attacker is only available on Saturdays and expresses regret for any trouble this has caused. The malware does not include code to detect the compromised machine’s language setting, and the ransom message is only available in Japanese. This, paired with the ransom note’s formal style, suggests that the Chaos ransomware variant is aimed particularly at Japanese Windows users.
The ransomware also deletes shadow copies from the infected machine, making it impossible for the user to restore any encrypted files, making it doubly harmful. FortiGuard Labs earlier published a blog about ransomware deleting shadow copies. Fortunately, this Chaos ransomware variant does not contain any code that allows it to steal data from the infected machine.
The infection also modifies the victim’s desktop wallpaper, maybe to increase the pressure on them to pay the ransom.
Final Thoughts on the Chaos Ransomware Variant
This Chaos ransomware version and its infection vector are both unremarkable. Despite the low ransom demand, the ability to destroy data and render it unrecoverable elevates it above a simple joke to anger Japanese Minecraft players. Ransomware is still ransomware, and the victim may not be able to recover their original files, whether or not they pay the ransom. The best suggestion is for users to steer away from questionable gaming hack sites and simply enjoy the game as it was intended.
FortiGuard Labs has AV coverage in place for all of the malicious file samples in the report as:
Due to the ease of disruption, damage to daily operations , potential impact to the reputation of an organization, and the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date.