If you thought ransomware forcing people to do good deeds was bizarre – wait until you hear about WannaFriendMe. To get the decryptor for this newly discovered ransomware (opens in new tab) strain, victims need to buy a game pass on the Roblox Game Pass store.
Roblox is a gaming platform where users get to build and play games. Game builders can monetize their creations by requiring game passes before playing. These passes can be bought with the platform’s native currency, Robux.
In the ransom note sent to the victims, it says they need to buy a specific game pass, costing 1700 Robux, or roughly $20. After acquiring the game pass, they need to contact a specific email address with their username, and a screenshot to prove the purchase.
Chaos? Or Ryuk?
The attackers are warning the victims not to delete the game pass as that will render the process invalid.
If you thought $20 was pocket change compared to other malware (opens in new tab) operators whose demands reach tens of thousands of dollars, do keep in mind that the targets for this campaign are mostly gamers.
Another interesting point is that the threat actors are using Chaos ransomware, which tries to pass itself off as Ryuk. In mid-2021, someone started selling a Chaos ransomware builder, allowing pretty much anyone with a few extra dollars to spare, to build their own ransomware strain.
The main difference between Chaos and Ryuk, is the fact that the former is known for overwriting large files with gibberish.
In other words, once encrypted, any files larger than 2MB in size can never be retrieved. This is a known fact for Chaos, and might put off some people that considered paying the ransom demand.
The researchers that discovered the campaign, MalwareHunterTeam, said that the Chaos ransomware builder pretends to be Ryuk by default, by using the .ryuk extension for all of the encrypted files.
Via: BleepingComputer (opens in new tab)