News

Russian Enlisted players attacked by ransomware pretending to be WannaCry

Security Parrot Editorial Team

Russian-Speaking Players of Enlisted Shooter Targeted by Ransomware

Enlisted, a multiplayer shooter released by Gaijin Entertainment in 2021, has between 500,000 and a million active players every month. Unfortunately, Russian-speaking players have been targeted by a ransomware attack, which is distributed through fake sites. The game installer comes with a ransomware that pretends to be the third version of the sensational WannaCry malware, even changing the extensions of the affected files to .wncry.

Analysis of the Threat

Analysts at Cyble have analyzed the threat and determined that this supposedly new variant of WannaCry is actually based on an open-source Python locker Crypter created for educational purposes. The game installer downloaded from the fake site is named “enlisted_beta-v1.0.3.115.exe”, and when run, it dumps two executable files on the user’s disk: ENLIST~1 (the actual game) and enlisted (the malware’s Python launcher).

Encryption Process

On initialization, the ransomware creates a mutex to avoid multiple running instances on the infected machine. It then parses its JSON config file to determine which file types to target, which directories to skip, and which wallet address to enter to receive the ransom. The ransomware scans the working directory looking for the key.txt file to use in the encryption step (if it does not exist, it creates it). The AES-256 algorithm is used for encryption, and all locked files receive the .wncry extension.
Interestingly, the malware does not attempt to terminate processes or services, which is standard practice in modern lockers, but goes the usual way for ransomware and removes shadow copies to prevent data recovery. After assuring the process of encrypting files, the ransomware shows the victim a ransom note, using a special application with a graphical interface for this and giving the victim three days to make a decision. In case the victim’s antivirus blocks the display of the ransom note, the ransomware also changes the background image on the user’s work slot.

Contacting the Hackers

The researchers note that the hackers do not use the Tor website, instead suggesting that victims use a Telegram bot to contact them.
According to experts, many popular online shooters may now be unavailable to Russian users, so Enlisted has become a good alternative for them. If the attackers have already paid attention to this, they can probably create other fake sites for similar games with Russian localization.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?