Fortnite is one of the most used online games nowadays, surpassing 250 million players worldwide. These figures have begun to attract the attention of hackers looking to take advantage of unsuspecting players. Experts in digital forensics have reported the presence of a ransomware, known as Syrk, whose operators pose as a hacking tool for the game.
Malicious actors advertise this ransomware as an “aimbot”, a tool to automatically target other players, increasing the accuracy of the users’ shots. In fact, those who download this malware suffer the blocking of their machines; subsequently the victim receives a message demanding a ransom. If not responding to the demands of the hackers, the victim’s files are deleted a few hours after the infection occurs.
Digital forensics experts from security firm
Cyren have reported that the operators of this campaign are using the
Hidden-Cry ransomware, and they just changed the extension of the encrypted
files to .syrk. “Hidden-Cry source code was posted on GitHub last year, making
it very easy to find. We believe hackers use Fortnite
player forums to post links that redirect users to ransomware,” the
experts said.
After the payload execution, the ransomware
connects to a command and control server to disable Windows Defender and UAC to
encrypt multiple file types, including extensions such as .gif, .sln, .png,
.rar, .zip, .mp4, .mp4, .txt, .ppt, between many others. Hackers can also
monitor Taskmgr, Procmon64, ProcessHacker, among many other processes.
Subsequently, the hackers will establish a
procedure to delete the encrypted files every two hours, prioritizing the
following order: %userprofile%-Pictures; %userprofile%-Desktop; and
%userprofile%. Hackers could even infect victims’ external storage drives using
LimeUSB_Csharp.exe.
For digital forensics specialists, it was only
a matter of time before hackers started attempting such attacks. “There
are too many active gamers in the world, so social engineering campaigns
against this community can be really lucrative,” experts from the security
firm Vectra mentioned. “This new approach disguises malware in an
attractive way for gamers, promising advantages in competitive play,” they
add.
Fortunately, it’s not just bad news. The
experts who revealed this campaign claim that it is possible to recover files
encrypted with Syrk without paying to the hackers.
“There is a file (dh35s3h8d69s3b1k.exe),
which is located as an integrated resource in the malware and that can function
as a tool to remove Hidden-Cry encryption”, the experts mention.
“With this file it is possible to create a PowerShell script to recover
the compromised files.
In previous occasions, malicious campaigns have
been reported targeting the millions of members of the gamer community.
Previously, digital forensics specialists from the International Institute of Cyber
Security (IICS) reported a malware attack campaign known as MonsterInstall, a
Trojan distributed across multiple video game forums, tricking users similarly
to the one used by syrk ransomware operators. “In the case of
MonsterInstall, when victims download what appears to be a hack for the game,
it actually downloads a 7zip file which, in addition to the cheat files, acts
as a cryptocurrency mining software; in some cases the hackers even manage to
hijack sessions, inject malware, among other activities,” the experts
mention.
Fortnite players and similar games, such as
PUBG, are advised not to install this kind of tools on their devices because,
in addition to the use of these ‘hacks’ being prohibited by game developers,
they expose the integrity of their systems to malware infections, among other
cybersecurity risks.
