Online gamers are no longer spared the wrath of crypto-ransomware, with a recently discovered attack encrypting game files, as well as iTunes files.
Bromium Labs, and in a separate post, Bleeping Computer, detailed a specific campaign of the ransomware being spread through a local U.S. newspaper’s website. The WordPress-based site redirects visitors to the Angler Exploit Kit through a Flash clip.
The redirect only operates in Internet Explorer (IE) and Opera, and before dropping any malware, Angler checks for the presence of virtual machines and anti-virus products. If none are present, the exploit drops a Flash exploit, CVE-2015-0311, and an IE exploit, CVE-2013-2551.
Then, a new ransomware, identified as TeslaCrypt, drops and claims to be a new version of Cryptolocker, although Bromium Labs’ Senior Security Researcher Vadim Kotov wrote that it most likely is just a re-brand.
The variant targets 185 file extensions, most of which pertain to video games. iTunes files are also affected, but not as much as images and documents.
One reason for this could be because gamers are dedicated to their games, Kotov said in an interview with SCMagazine.com, and might not be able to restore their data, including level maps or online game session replays.
“It’s also a purely psychological effect,” he said. “[When seeing that files are encrypted] a person might actually panic and go and pay [the attackers].”
Affected games include Call of Duty, Minecraft, and Assassin’s Creed, among others.
The ransomware also appears to generate a bitcoin address for each infected device, making finding the attackers difficult.
Also because of this, Kotov couldn’t provide a number of those infected or where they are primarily based. Although he did note that this specific infected website being based in the U.S. makes it likely that those affected live in the U.S., as well.
Kotov recommended keeping a backup external hard drive updated and disconnected from any computer to avoid having to pay a ransom to gain back files.
“The problem is that once you’re infected with this is, there’s no way to reverse it unless you pay, and we wouldn’t recommend doing that,” he said.
The compromised website has yet to be cleared of the ransomware.