Heads up Fortnite players! Here’s some ransomware coming your way! Disguised as a Fortnite hack tool, the Syrk ransomware is all geared up to target players and make money them.
Syrk Ransomware Masked As Hack Tool
Researchers from the security firm Cyren have discovered a malware campaign targeting Fortnite players. This one attempts to fool the players by impersonating a gaming cheat. Specifically, the Syrk ransomware targets players in the guise of a Fortnite hack tool. They have elaborated their details about their findings in a blog post.
As explained, the ransomware tricks the Fortnite players by appearing as a cheat that would supposedly help a player in aiming and locating other players. The malware caught the attention of Cyren researchers after another security analyst with alias Leo on Twitter reported about it.
Syrk Ransomware seems inspired by a Fortnite Hacktool, terminates task manager, process hacker, really good at being persistent and annoying. Does encrypt but might still be in development. 30/67 in VThttps://t.co/x7Y6Tz4NB1 pic.twitter.com/6e9wI8XTQR
— Leo (@leotpsc) August 1, 2019
The Syrk malware acts like any other ransomware by encrypting the files stored in the target device. The victim is then given a short time to arrange the ransom. At the end of the deadline, the ransomware starts deleting the files, thus creating further pressure on the victim. It deletes the files every two hours by first deleting the pictures in the user profile, then the desktop files, and then, the documents.
After deleting from these three areas, it then moves on to the USB drive data. In case it detects any files present on USD drive, it replaces the original ones with an SCR file. Yet, it doesn’t actually delete the original file, rather keeps a copy of it in $LimeUSB folder.
The Ransomware also monitors the Taskmgr, Procmon64, and ProcessHacker tools to prevent them from terminating the malware.
Digging further let the researchers establish that the Syrk ransomware is actually the Hidden-Cry malware with a .Syrk extension. It is an open-source malware that appeared online last year on GitHub.
Don’t Worry Though; Here’s What You Can Do
While ransomware attacks are almost always worrisome, particularly when the malware starts deleting files after a few hours, it isn’t so scary in the case of Syrk. Cyren explained that the malware itself encloses the decryptor in the infected machine.
The file dh35s3h8d69s3b1k.exe is the Hidden-Cry decrypting tool and can be found as one of the resources embedded in the main malware. Since the key used is already known, it can be used to create a PowerShell script based on the shared source of the Hidden-Cry decrypter. To do this, extract the embedded file dh35s3h8d69s3b1k.exe and execute the file in the infected machine. It will drop the necessary PowerShell script needed to decrypt the files.
it also drops these .txt files containing the password.
- C:\Users\Default\AppData\Local\Microsoft\-i+.txt: contains the randomly generated ID
- C:\Users\Default\AppData\Local\Microsoft\-pw+.txt: includes the password
- C:\Users\Default\AppData\Local\Microsoft\+dp-.txt: contains ID and password
If the victim decrypts the files using the password, the malware then drops and executes Delete.exe file which deletes other files. Plus, it also drops a delmy.exe file which then deletes the main file %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SydneyFortniteHacks.exe
So, if the victim succeeds in finding the password, it is not really difficult to get rid of the ransomware.
Nonetheless, Fortnite players must remain cautious while using hack tools. You never know when you fall prey to something malicious.