Pokemon Go players beware, a new version of ransomware has been spotted in the wild and it tries to hide itself as a legitimate Pokemon Go program. It even uses the Pokemon Pikachu in its icon.
The ransomware which was spotted is using the Hiddentear ransomware to infect and encrypt devices of unaware users.
The Hiddentear ransomware has the characteristic of first scanning the device for files that hold the following extensions:
.xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png, .txt, .rtf, .doc, .pdf, .mht, .docx, .xls
Once the Pokemon Go (hiddentear ransomware) has found files that hold the extensions that are shown above, it will continue to encrypt the files with an AES encryption. Once the encryption has been completed it will add the “.locked” extension to the filenames of all the locked files.
One of the Pokemon Go ransomwares that have been spotted use the following email account to instruct the infected users on how to perform a payment:
The Pokemon Go ransomware uses the following ransomware text:
Your files have been encrypted , decoding Falaksa Mobilis following address firstname.lastname@example.org and thank you in advance for your generosity
The research which was performed by bleepingcomputer stated that the hacker behind the Pokemon Go ransomware has installed additional features which allow the ransomware to spread though the network.
On closer look, it is apparent that this developer has put in extra time to include features that are not found in many, if any, other ransomware variants. These features include adding a backdoor Windows account, spreading the executable to other drives, and creating network shares. It also appears that the developer isn't done yet as the source code contains many indications that this is a development version.