Security Experts:

TeslaCrypt Ransomware Encrypts Video Game Files

A piece of ransomware that claims to be a new variant of the notorious CryptoLocker is designed to encrypt a wide range of files stored on infected systems, including files associated with video games.

The new threat, dubbed “TeslaCrypt,” was first spotted by researchers at the security firm Emsisoft in late February, Bleeping Computer reported. The malware doesn’t appear to have anything to do with CryptoLocker, but cybercriminals are trying to cash in on the now defunct ransomware’s notoriety.

Researchers at Bromium have also analyzed the malware and discovered that it is distributed through a compromised WordPress website set up to redirect visitors to a page hosting the Angler exploit kit. The Angler landing page is designed to check for the presence of virtual machines and antivirus products, after which it drops the ransomware by exploiting a Flash Player vulnerability patched by Adobe in January or an old Internet Explorer flaw.

Once it infects a system, the malware informs victims that their photos, videos and documents have been encrypted. Unlike other ransomware, TeslaCrypt also encrypts files associated with video games, including Call of Duty, Diablo, Fallout, Minecraft, Warcraft, F.E.A.R, Assassin’s Creed, Resident Evil, World of Warcraft, League of Legends, and World of Tanks.

In addition to profile data, saved games, mods, and maps, the ransomware encrypts files associated with Steam and game development software such as Unity3D, Unreal Engine, and RPG Maker. The malware targets a total of 185 file extensions, including iTunes-related files.

“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” Bromium researcher Vadim Kotov wrote in a blog post. “Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.”

Researchers at Webroot have also analyzed TeslaCrypt. They noted that victims are presented with a “free decryption” button, which isn’t surprising considering that some ransomware variants allow users to decrypt a few files for free. However, in this case, when the button is clicked, users are taken to a site where they’re told to pay 1.5 Bitcoin (approximately $415) or $1,000 through PayPal My Cash Card to recover the files.

“Bitcoin is the preferred method of payment as it is a untraceable secure method of receiving payment from you so they give you a better price of only $415. If you wish to use payment systems like PayPal My Cash Card, then the price increases to $1000 (this is because they lose a percentage through the middleman). The choice is very clear that they want the hefty discount to sway you into using bitcoin as payment,” Webroot researchers wrote.

TeslaCrypt is not the only threat targeting gamers these days. Researchers at Malwarebytes have spotted a campaign designed to phish the Steam credentials of Counter-Strike: Global Offensive (CS:GO) players and drop a piece of malware onto their computers.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.