Security researchers at FortiGuard have uncovered a variant of the Chaos ransomware that targets Japanese Minecraft gamers. The Chaos malware encrypts gamers' Windows devices via fake Minecraft alt lists promoted on gaming platforms.
Minecraft is a massively widespread sandbox video game at present played with over 140 million people, and according to Nintendo sales numbers, it is the best-selling game in Japan. The amount of creativity that players can express in the sandbox game generally contributes to its popularity.
According to FortiGuard researchers, Chaos ransomware is actively spreading in Japan, encrypting the records data of Minecraft players and dropping ransom notes.
The bait used by the threat actors are 'alt list' text files that supposedly comprise stolen Minecraft account credentials, but in reality, is Chaos ransomware executable.
Minecraft players who want to troll or offend other players without the risk of getting banned use ‘alt’ lists to search out stolen accounts that they’ll use for bannable offenses.
As a consequence of their recognition, alt lists are always in demand and are generally shared for free or by automated account mills that provide the community with "spare" accounts.
After encrypting users’ files, the Chaos ransomware adds four arbitrary characters or digits to their extensions and drops a ransom note named 'ReadMe.txt,' where cybercriminals demand 2,000 yen (~$17.56) for file recovery.
This explicit variant of the Chaos Ransomware is configured to find the compromised systems for various file types smaller than 2ΜΒ and encrypt them. However, if the file is bigger than 2MB, random bytes will be inserted into it, making it unrecoverable even if the ransom is paid. Due to the harmful nature of the assault, those who pay the ransom can only recover smaller files.
The rationale for this functionality is unclear, and it may very well be attributable to poor coding, incorrect configuration, or damaging gamers' files purposely. In this particular campaign, cybercriminals are selling text files to create a false sense of safety while swapping them out in the long run with executables. Customers should remain vigilant and not execute any files they download from the Internet unless they trust the site and have scanned it with a software like VirusTotal.