If you thought ransomware forcing people to do good deeds was weird, wait until WannaFriendMe tells you. To get the decryptor for this newly discovered ransomware strain (opens in a new tab), victims need to purchase a game pass from the Roblox Game Pass store.

Roblox is a gaming platform where users can create and play games. Game creators can monetize their creations by requesting passes before playing. These passes can be purchased with the platform's native currency, Robux.

In the ransom note sent to the victims, it is stated that they need to purchase a specific game pass, which costs 1700 Robux, which is around €20. After purchasing the game pass, they must contact a specific email address with their username and a screenshot to prove the purchase.

The chaos? Or Ryuk?

The attackers warn victims not to delete the game pass, as this would invalidate the process.

If you think that 20 € is a small monnaie for rapport à d'autres opérateurs de logical malveillants (ouvre un nouvel onglet) dont sue them atteignent des dizaines de milliers de dollars, gardez à l'esprit que les cibles de cette campagne sont principalement Players.

Another interesting point is that threat actors use Chaos ransomware, which tries to impersonate Ryuk. In mid-2021, someone started selling a Chaos ransomware generator, allowing just about anyone with a few extra dollars to create their own strain of ransomware.

The main difference between Chaos and Ryuk is that the former is known to overwrite large files with gibberish.

In other words, once encrypted, all files larger than 2 MB can never be recovered. This is a known fact for Chaos, and might put off some people who were considering paying the ransom note.

The researchers who discovered the campaign, MalwareHunterTeam, said that the Chaos ransomware generator masquerades as Ryuk by default and uses the .ryuk extension for all encrypted files.

Via: BleepingComputer (Opens in a new tab)

Share This