Ransomware masquerades as mobile version of Cyberpunk 2077
A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game that is installing a ransomware calling itself CoderWare.
To trick users into installing malware, threat actors commonly distribute them as gamer installers, cheats, and cracks for copyrighted software.
This week, Kaspersky malware analyst Tatyana Shishkova discovered an Android ransomware masquerading as a mobile version of the Cyberpunk 2077 game. The game was being distributed from a fake website impersonating the legitimate Google Play Store.
Ransomware disguised as mobile Cyberpunk 2077 game
Ransomware disguised as mobile Cyberpunk 2077 game
Shishkova tweeted that the CoderWare ransomware utilizes a hardcoded key, which means a decryptor can be made if necessary to recover files for free.
"RC4 algorithm with hardcoded key (in this example - "21983453453435435738912738921") is used for encryption. That means that if you got your files encrypted by this #ransomware, it is possible to decrypt them without paying the ransom."
You can see the hardcoded key '21983453453435435738912738921' in the ransomware source code shown below.
Source code for Android ransomware app
Source code for Android ransomware app
Windows version released in November
This ransomware is the same as one discovered by MalwareHunterTeam in November that was disguised as a Windows Cyberpunk 2077 installer. Like the Android version, this ransomware calls itself CoderWare but is a variant of the BlackKingdom ransomware.
Windows CoderWare ransom note
Windows CoderWare ransom note
The Windows variant was a python compiled executable that would encrypt a victim's files and append the .DEMON extension to encrypted file's names.
Encrypted files in Windows
Encrypted files in Windows
It is not known if the Windows version use a hardcoded key at this time.
As you can see, when attempting to install copyrighted software for free, you face huge risks of malware infections. This risk is even more significant when you try to install Android apps from third-party app stores.
To trick users into installing malware, threat actors commonly distribute them as gamer installers, cheats, and cracks for copyrighted software.
This week, Kaspersky malware analyst Tatyana Shishkova discovered an Android ransomware masquerading as a mobile version of the Cyberpunk 2077 game. The game was being distributed from a fake website impersonating the legitimate Google Play Store.
Ransomware disguised as mobile Cyberpunk 2077 game
Ransomware disguised as mobile Cyberpunk 2077 game
Shishkova tweeted that the CoderWare ransomware utilizes a hardcoded key, which means a decryptor can be made if necessary to recover files for free.
"RC4 algorithm with hardcoded key (in this example - "21983453453435435738912738921") is used for encryption. That means that if you got your files encrypted by this #ransomware, it is possible to decrypt them without paying the ransom."
You can see the hardcoded key '21983453453435435738912738921' in the ransomware source code shown below.
Source code for Android ransomware app
Source code for Android ransomware app
Windows version released in November
This ransomware is the same as one discovered by MalwareHunterTeam in November that was disguised as a Windows Cyberpunk 2077 installer. Like the Android version, this ransomware calls itself CoderWare but is a variant of the BlackKingdom ransomware.
Windows CoderWare ransom note
Windows CoderWare ransom note
The Windows variant was a python compiled executable that would encrypt a victim's files and append the .DEMON extension to encrypted file's names.
Encrypted files in Windows
Encrypted files in Windows
It is not known if the Windows version use a hardcoded key at this time.
As you can see, when attempting to install copyrighted software for free, you face huge risks of malware infections. This risk is even more significant when you try to install Android apps from third-party app stores.