Fortnite is one of the most used online games nowadays, surpassing 250 million players worldwide. These figures have begun to attract the attention of hackers looking to take advantage of unsuspecting players. Experts in digital forensics have reported the presence of a ransomware, known as Syrk, whose operators pose as a hacking tool for the game.
Malicious actors advertise this ransomware as an “aimbot”, a tool to automatically target other players, increasing the accuracy of the users’ shots. In fact, those who download this malware suffer the blocking of their machines; subsequently the victim receives a message demanding a ransom. If not responding to the demands of the hackers, the victim’s files are deleted a few hours after the infection occurs.
Digital forensics experts from security firm Cyren have reported that the operators of this campaign are using the Hidden-Cry ransomware, and they just changed the extension of the encrypted files to .syrk. “Hidden-Cry source code was posted on GitHub last year, making it very easy to find. We believe hackers use Fortnite player forums to post links that redirect users to ransomware,” the experts said.
After the payload execution, the ransomware connects to a command and control server to disable Windows Defender and UAC to encrypt multiple file types, including extensions such as .gif, .sln, .png, .rar, .zip, .mp4, .mp4, .txt, .ppt, between many others. Hackers can also monitor Taskmgr, Procmon64, ProcessHacker, among many other processes.
Subsequently, the hackers will establish a procedure to delete the encrypted files every two hours, prioritizing the following order: %userprofile%-Pictures; %userprofile%-Desktop; and %userprofile%. Hackers could even infect victims’ external storage drives using LimeUSB_Csharp.exe.
For digital forensics specialists, it was only a matter of time before hackers started attempting such attacks. “There are too many active gamers in the world, so social engineering campaigns against this community can be really lucrative,” experts from the security firm Vectra mentioned. “This new approach disguises malware in an attractive way for gamers, promising advantages in competitive play,” they add.
Fortunately, it’s not just bad news. The experts who revealed this campaign claim that it is possible to recover files encrypted with Syrk without paying to the hackers.
“There is a file (dh35s3h8d69s3b1k.exe), which is located as an integrated resource in the malware and that can function as a tool to remove Hidden-Cry encryption”, the experts mention. “With this file it is possible to create a PowerShell script to recover the compromised files.
In previous occasions, malicious campaigns have been reported targeting the millions of members of the gamer community. Previously, digital forensics specialists from the International Institute of Cyber Security (IICS) reported a malware attack campaign known as MonsterInstall, a Trojan distributed across multiple video game forums, tricking users similarly to the one used by syrk ransomware operators. “In the case of MonsterInstall, when victims download what appears to be a hack for the game, it actually downloads a 7zip file which, in addition to the cheat files, acts as a cryptocurrency mining software; in some cases the hackers even manage to hijack sessions, inject malware, among other activities,” the experts mention.
Fortnite players and similar games, such as PUBG, are advised not to install this kind of tools on their devices because, in addition to the use of these ‘hacks’ being prohibited by game developers, they expose the integrity of their systems to malware infections, among other cybersecurity risks.