A new crypto threat called Rensenware is breaking new ground with its unique tactic, where it encourages victims to play a game rather than cough up money.
In a move that hardly anyone in the security community could possibly anticipate, a questionably judicious individual going by Twitter nickname Tvple Eraser has made quite an appearance on the e-extortion arena. He ventured into cooking up a malicious program dubbed Rensenware, which encrypts data and then instructs the victim to score more than 0.2 billion in TH12 ~ Undefined Fantastic Object game. While some of those infected might heave a sigh of relief after learning that the attacker’s demands are not about money, that’s a premature impression. Scoring that much in Lunatic level of the aforementioned anime shooter game, which is also referred to as Touhou Seirensen, is an extremely tough objective.
Rensenware author, possibly a Korean resident judging from some of his posts on Twitter, has already apologized to everyone affected and made a statement that this project was intended to be nothing but a joke. He has since also released a tool called Enhanced Forcer for Rensenware, which meddles with the memory of TH12 ~ Undefined Fantastic Object so that the decryption can be approved and started without the user having to actually play the game. These efforts to correct such a defiant mistake are probably commendable, but the infection is still causing tangible problems for plagued users who are at their wit’s end trying to restore their valuable data. Finding and using the above fix takes time, moreover, the efficiency of the tool has not been officially vetted as of now.
The Rensenware program itself is pretty crude in terms of the compromise workflow. It is configured to encrypt information stored both on fixed drives and ones that aren’t fixed. Consequently, it may crash multiple times while trying to scramble data on CD drive even though there is no optical disk in it. This nuance set aside, the malware scans an infected machine for about 30 file types, including Microsoft Office documents, images, audio files and archives. Then, it encrypts every matching item with AES-256 algorithm. A predictable byproduct of this activity is concatenation of the .RENSEWARE extension to locked files. As opposed to almost all in-the-wild ransomware samples, this one does not erase Shadow Copies of one’s data entries, so it’s technically possible to restore the information via forensic mechanisms. As soon as the crypto part of the breach has been completed, Rensenware displays a warning window explaining the prerequisites for decryption.
Despite the fact that the wannabe hacker behind this story has admitted he was wrong and it was all just for fun, victims do suffer real-world consequences and have to waste their time and efforts to sort things out. This incident is kind of reminiscent of the open-source Hidden Tear and EDA2 projects, where crooks weaponized the originally benign educational code to create real threats. No matter how talented malware researchers are, they should definitely think twice before blowing their own trumpet just for show.
- Petya ransomware removal and system recovery (upd. June 27)
- Sorebrect ransomware – fileless malware exploits PsExec utility
- Remove MOLE02 ransomware virus and decrypt .mole02 files (upd. June 15)
- Erebus ransomware infects Linux web servers in South Korea
- Decrypt .master ransomware files – BTCWare virus variant