Fortnite, the second most popular video game of 2019, has been targeted by a ransomware variant dubbed as Syrk. Promising players an ‘aimbot’ for aiming more accurately while playing, and ‘ESP’ for discovering other player’s locations in the game, Syrk has a prospect list of over 250 million gamers. Instead of delivering the promises above, Syrk acts as a typical ransomware; locking machines, demanding a ransom, and if left unpaid, deletes batches of files every two hours.
Syrk or Hidden-Cry Ransomware?
According to an analysis provided by researchers at Cyren, Syrk ransomware is actually Hidden-Cry ransomware that’s been given a .Syrk extension.
“The source code for Hidden-Cry is readily available, having been shared on Github at the end of last year,” the researchers noted. “We expect Syrk to possibly be distributed via an upload to a sharing site and the link posted to Fortnite users in forums.”
Once the payload is executed, it connects to a command-and-control (C2) server and disables Windows Defender and UAC through a registry weakness. The ransomware then targets file types, including: .gif, .sln, .docx, .php, .psd, .ico, .mov, .xlsx, .jpg, .xls, .doc, .pdf, .wav, .pptx, .ppt, .txt, .png, .bmp, .rar, .zip, .mp3, .mp4, and .avi. Once these files are encrypted, it appends the .Syrk extension.
Following the encryption process, the ransomware sets up a timed producer that deletes the encrypted files in the following directories: userprofile/pictures, userprofile/desktop, and userprofile/documents. Additionally, the ransomware uses LimeUSB_CSharp.exe to infect USB drives if they exist.
“Combining game malware with ransomware was inevitable,” said Chris Morales, head of security analytics at Vectra. “Social engineering through online video games has been going on for some time. It is a large audience to target and an industry that is known to look for shortcuts. Malware posing as a hack tool is novel as it will not be validated by any app store and bypasses the normal security controls. This makes encrypting files using a game hack highly opportunistic and easy to execute.”
Embedding Aimbots with Ransomware – Cheating the Cheater
For those unfamiliar with first-person shooter, player-versus-player, or the ever-popular “Battle Royale” video games, aimbots are extremely frowned upon in the gaming community. In fact, a recent video posted by Ninja (the most popular video game streamer in the world), shows him calling Epic Games to report and ban an individual using an aimbot. As described before, an aimbot essentially targets individuals anywhere on a map, and once the player presses the trigger, it’s extremely difficult if not impossible to avoid being eliminated.
Syrk ransomware can be said to be cheating the cheater. While we would certainly not wish ransomware upon anyone, extreme gamers would say individuals looking for aimbots who instead find ransomware are getting what they deserve.
Gaming and Ransomware – Match Made in Heaven?
There certainly haven’t been many stories in the news lately about gamers being infected with ransomware. This could be in part due to the fact that hackers have been focusing on much bigger targets such as the municipalities that have been grabbing headlines left and right. However, according to a study released by Electronic Entertainment Design and Research, about 67 percent, or roughly 211 million people, play video games on at least one gaming device.
“The video game industry, and gamers in general, are lucrative targets for cybercriminals,” said Alex Guirakhoo, strategic intelligence analyst at Digital Shadows. “Gamers are attractive targets for this kind of attack as they likely have computers with powerful graphic cards, which are heavily sought after for cryptocurrency mining because of their performance. A lot of this builds on the wide media attention that popular games receive on social media and sites such as Twitch or YouTube. The more attention a game gets because of a new release or update, the more likely it is that a cybercriminal will be able to successfully distribute malware.”
Fornite isn’t the first video game to be targeted by hackers. Trojans like MonsterInstall have been distributed on websites which claim to offer hacks and cheats for popular and competitive games such as Minecraft and FIFA.
With popular gaming franchises Xbox and Playstation slated to release their newest devices in the next year and a half, the gaming world and cybersecurity are headed on a collision course. With over 200 million targets, it’s only a matter of time before the gaming industry becomes a hot commodity for hackers.