If you thought ransomware forcing people to do good deeds was bizarre – wait until you hear about WannaFriendMe. To get the decryptor for this newly discovered ransomware (opens in new tab) tension, victims need to buy a game pass from the Roblox Game Pass store.
Roblox is a gaming platform where users can build and play games. Game creators can monetize their creations by requiring game passes before playing. These passes can be purchased with the platform’s native currency, Robux.
In the ransom note sent to victims, it says that they need to buy a specific game pass, costing 1700 Robux, or around $20. After purchasing the game pass, they need to contact an email address specific with your username and a screenshot to prove the purchase.
Chaos? Or Ryuk?
Attackers are warning victims not to delete the game pass as this will make the process invalid.
If you thought $20 was exchanged compared to other malware (opens in new tab) operators whose demands run into the tens of thousands of dollars, keep in mind that the targets of this campaign are primarily gamers.
Another interesting point is that threat actors are using Chaos ransomware, which tries to impersonate Ryuk. In mid-2021, someone started selling a Chaos ransomware builder, allowing just about anyone with a few extra dollars to spare, to build their own ransomware strain.
The main difference between Chaos and Ryuk is the fact that the former is known to overwrite large files with squiggles.
In other words, once encrypted, any file larger than 2MB can never be recovered. This is a known fact for Chaos, and it may put off some people who have considered paying the ransom demand.
The researchers who discovered the campaign, MalwareHunterTeam, said that the creator of the Chaos ransomware pretends to be Ryuk by default, using the .ryuk extension for all encrypted files.
Through: BleepingComputer (opens in new tab)