Pokémon Go ransomware creates Windows backdoor account, spreads to all other drives

Here comes Pokémon Go-themed ransomware

Here comes Pokemon Go-themed ransomware
Credit: Bleeping Computer

If you build it and it’s popular, they will come; it being an app, and they being cyber criminals. This time it’s Pokémon Go ransomware, which goes the extra mile by adding a hidden backdoor Windows admin account, spreading to other drives and creating network shares.

Michael Gillespie discovered Hidden Tear ransomware disguised as a Pokémon Go app on a Windows Phone. But it’s not the standard ransomware. Bleeping Computer explained, “This developer has put in extra time to include features that are not found in many, if any, other ransomware variants.”

+ Also on Network World: The CIA, NSA and Pokémon Go +

For starters, the developer created a “Hack3r” backdoor user account in Windows; the account is added to the Administrator group. The registry is tweaked, so the Hack3r account is hidden on the Windows login screen.

Another feature creates a network share on the victim’s computer. The ransomware spreads by copying the executable to all drives.

After the executable is copied onto removable drives, it creates an autorun file so the ransomware will run each time the drive is plugged into any PC.

The executable is also copied to the root of any other fixed drives. That way, the Pokémon Go ransomware will autorun when the victim logs into Windows.

As of right now, the experts believe the ransomware is still being developed. It has a static AES encryption key of “123vivalalgerie.” Additionally, the Command & Control server is using a private IP address, which means it cannot connect over the internet.

Poor Pikachu is being abused, meaning it is the “face” on the screensaver ransomware note, which currently is in Arabic. Bleeping Computer noted that screensaver executable is also embedded with an image of Sans Titre. “This phrase is French, rather than Arabic, and means Untitled. Could this be a clue for the origin of the developer?”

Ransomware still in development stages

Based on news over the last week, security experts seem to be discovering more examples of ransomware still being developed.

The Hitler ransomware says it encrypted all of the victim’s files; a countdown clock ticks away as it demands 25 Euro Vodafone Card. Once the time is up, however, it deletes all files in the UserProfile folder. This and other characteristics may change, as the experts believe the Hitler ransomware is still in the development stage.

Then there’s Android ransomware which features a cat on the locked screen. It can send or delete SMS messages, can encrypt the SD card and has botnet capabilities. Researchers believe this ransomware variant is demo version.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.