Leveraging the craze the new game has created, threat actors have now begun exploiting the game for malicious activities. As observed, the cybercriminals have deployed ransomware masquerading as the Cyberpunk 2077 mobile game app.
Ransomware Masks As Cyberpunk 2077
Security researcher and malware analyst, Tatyana Shishkova, has found ransomware targeting mobile gamers. Identified as CoderWare, the ransomware impersonates itself as the mobile version of the newly launched Cyberpunk 2077.
The ransomware hasn’t presently managed to appear on Google Play Store. Rather it is being distributed via a fake website that mimics Play Store.
New Android #Ransomware disguised as #Cyberpunk2077 game.
Downloaded from fake website imitating Google Play Store.
Extension: .coderCrypt
Family: CoderWare/BlackKingdom https://t.co/JBudDP6vG1 pic.twitter.com/TdM4SAkFWl— Tatyana Shishkova (@sh1shk0va) December 16, 2020
Upon reaching the victim’s devices, the malware locks the user out of the device. It encrypts all the files whilst adding a .coderCrypt extension.
Although, such encryption and the subsequent ransom demand would panic the user.
However, according to the researcher, the malware uses the RC4 algorithm for encryption. Hence, the victim can possibly get the files decrypted without paying the ransom.
❗️ RC4 algorithm with hardcoded key (in this example – "21983453453435435738912738921") is used for encryption. That means that if you got your files encrypted by this #ransomware, it is possible to decrypt them without paying the ransom. https://t.co/Lj1hD1SvRK
— Tatyana Shishkova (@sh1shk0va) December 17, 2020
Not The First Attempt
This isn’t the first time, though, that a malware has emerged exploiting Cyberpunk 2077. In November, the MalwareHunterTeam discovered a similar ransomware targeting Windows systems. That ransomware also called itself CoderWare and belonged to the BlackKingdom ransomware family. At that time, it posed as Cuberpunk 2077 installer.
"CyberPunk2077.sfx.exe" -> "CyberPunk2077.exe": 08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
Some Python ransomware, calling itself "CoderWare"…
Extension: .DEMON
"whatsap: +63 997 401 3126"
?@demonslay335 pic.twitter.com/tmyagJ1ZEq— MalwareHunterTeam (@malwrhunterteam) November 26, 2020
Upon encryption, the Windows variant added a .DEMON extension to the encrypted files.
Cyberpunk 2077 is a newly launched combat game that won several awards before launch. It has also made to the news due to back-to-back bugs and glitches with the game version for consoles.
Until this month, CoderWare ransomware has targeted Windows users and now Android users. While the iOS users are seemingly safe until now, they should remain wary of any apps posing as Cyberpunk 2077 game app.
In fact, all Cyberpunk 2077 fans must first double-check the authenticity of any game apps from the legit website before downloading them on the device.