Once the Pokemon Go (hiddentear ransomware) has found files that hold the extensions that are shown above, it will continue to encrypt the files with an AES encryption. Once the encryption has been completed it will add the “.locked” extension to the filenames of all the locked files.
One of the Pokemon Go ransomwares that have been spotted use the following email account to instruct the infected users on how to perform a payment:
The Pokemon Go ransomware uses the following ransomware text:
Your files have been encrypted , decoding Falaksa Mobilis following address [email protected] and thank you in advance for your generosity
The research which was performed by bleepingcomputer stated that the hacker behind the Pokemon Go ransomware has installed additional features which allow the ransomware to spread though the network.
On closer look, it is apparent that this developer has put in extra time to include features that are not found in many, if any, other ransomware variants. These features include adding a backdoor Windows account, spreading the executable to other drives, and creating network shares. It also appears that the developer isn't done yet as the source code contains many indications that this is a development version.