Pokemon Go Ransomware Installs And Creates Backdoor Account In Windows

Pokemon go has become the most downloaded games of all in many countries including U.S.A and with that being said there was no chance of any malware found in it, But Michael Gillespie discovered a new Hidden-Tear ransomware. He is impersonating Pokemon go by targeting Arabic victims.

Just like other ransomware infection even Pokemon go ransomware infection look same. This will scan the victims whole drive which has the extensions like txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png etc

After the scan, it encrypts the file and for the encryption, it will use AES encryption and append the extension to the encrypted file. After the process, it will display a message to the victim to contact [email protected] to get payment instructions.

In most of the cases which involve ransomware infections process, it will encrypt your data and then delete itself and after that display a ransom note. But here the hackers are asking to pay instead of deleting here. And in this type of process the hacker won’t leave any traces, But here they are creating a backdoor account on your computer so that they can access later. So when you install this application on your computer then a new account of hacker will get added directly to the administrator’s group.

14045085_1060720627374567_943811812_o

Though the account is present on your computer . it cannot be seen when you are logging in with this configuration of this windows registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList “Hack3r” = 0

Also, A function will create a network share on victim’s windows computer which may block firmware on windows and router. And it doesn’t end there this is soo destructive that it will install itself in all the USB devices.

Well again it doesn’t end there, whenever the USB is connected to another device it gets to the root and then installs itself. Making hacker the admin of it. Basically, C drive is targetted for this process because of the operating system.

Here is the example of note which the victim gets and Arabic victims get a note like

(: لقد تم تشفير ملفاتكم، لفك الشفرة فلكسي موبيليس للعنوان التالي [email protected] وشكرا على كرمكم مسبقا

The English translation

( : Your files have been encrypted , decoding Falaksa Mobile following address [email protected] and thank you in advance for your generosity

Add Comment