14 DAY TRIAL // A crypto-ransomware piece dubbed TeslaCrypt is targeting for encryption more than 50 custom game files belonging to at least 20 popular products.
The threat is delivered via drive-by attacks through Flash Player (CVE-2015-0311) and Internet Explorer (CVE-2013-2551) exploits dropped by Angler attack tool.
Similarities with CryptoLocker account for 8%
According to an analysis conducted by researchers from Bromium security company, TeslaCrypt targets a total of 185 extensions and relies on the AES encryption algorithm to lock down the data.
Game file types taken hostage by the threat include user profile data, saved games, maps and mods; although some games offer users the possibility to save such data to an account on their server, this does not happen in all cases.
The researchers have also determined that it attempts to pass as CrytpoLocker, the infamous ransomware distributed by the GameOver Zeus botnet that was disrupted in 2014 by law enforcement and private security companies.
However, in a blog post released on Thursday, Bromium researcher Vadim Kotov says that the similarities between the two crypto-malware variants are of just 8%, indicating that the cybercriminals only try to take advantage of CryptoLocker’s popularity.
Files of popular titles taken hostage for ransom
TeslaCrypt was originally discovered by Fabian Wosar of Emsisoft, who noticed that the cybercriminals offered two payment choices for the victim: one demanded $1,000 / €944 through PayPal My Cash cards that can then be transferred to a PayPal account, while the other asked for $500 / €473, if bitcoin digital currency was chosen.
All payment procedures are run through a website in the anonymity network TOR (The Onion Router), Kotov says.
On the list of single-player desktop titles whose data is encrypted by TeslaCrypt there is Call of Duty, Star Craft 2, Minecraft, Half-Life 2, The Elder Scrolls (Skyrim-related files), WarCraft 3 and Assassin’s Creed.
Files for online games World of Warcraft, League of Legends and World Of Tanks are also targeted by the malware.
Additionally, Kotov says that TeslaCrypt also affects items belonging to Steam platform and game development software RPG Maker, Unity3D and Unreal Engine.
A more thorough analysis is required
Although the ransom message advertises that strong encryption (2048-bit RSA key) is employed to prevent unlocking the files, the security researchers could not find evidence to support this claim.
On the other hand, they carried out only a preliminary analysis and some questions remained without an answer. For instance, they found a file called “key.dat,” whose contents are not fully known.
