Blank Ransomware
The Blank Ransomware is an encryption ransomware Trojan that is based on HiddenTear, an open source ransomware engine that was first released publicly in August 2015. Since its release, HiddenTear has been responsible for countless ransomware variants, which include the Blank Ransomware as one of the most recent (released in February 2018). The Blank Ransomware is particular in that it encrypts more than six hundred file types, most of which seem to be associated with PC games and game development. It is likely that the Blank Ransomware was created in part as a training or educational tool, at least initially. However, these 'educational' ransomware Trojans have a tendency to go public and be adapted for nefarious purposes, as was the case with HiddenTear itself.
Game Lovers should be Aware of the Blank Ransomware
The Blank Ransomware will encrypt numerous file types in its attack, which may include saved game files, logs, configuration files, databases, and other files that are associated with popular Windows PC video games commonly. The Blank Ransomware also will encrypt the files that are used by game creation kits like Unreal and Unity engines. The Blank Ransomware attack will render useless popular games such as the Civilization series, Quake and World of Warcraft. The Blank Ransomware also will target the files that are associated with Xbox on Windows. The Blank Ransomware, apart from encrypting game-related files, also will encrypt the files with file extensions that are more commonly used, such as the following:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Blank Ransomware will add the file extension '.blank' to the end of each affected file's name, making it easy to see which files have been encrypted by the Blank Ransomware attack.
The Blank Ransomware's 'Ransom' Note
The Blank Ransomware will change the infected computer system's desktop into a text message and also will deliver a program window titled 'Decrypt' asking for a decryption password after encrypting the victim's files. The following text is displayed on the infected computer:
'YOU HAVE BEEN INFECTED WITH BLANK
RANSOMWARE
Your important files: documents, videos: pictures etc. have been encrypted. In order to decrypt them click a magic button. This ransomware was made for fun and it won't want you to pay for files.
Have fun decrypting your files!'
The Blank Ransomware will decrypt the victim's files, but will not remove the '.blank' file extension from the victim's files. In fact, it will change it to '.decrypted,' meaning that the affected files will continue to remain inaccessible until the victim changes the extension manually (which can be highly inconvenient and time-consuming). Many of the affected files are often backed up automatically on gaming servers, helping computer users restore their data after an attack. Although it is clear that the intentions behind the Blank Ransomware are not to demand large ransoms from the victims, but simply to harass, it is very likely that the Blank Ransomware versions that demand money from the victims will pop up. Remember that there are countless versions of these threats available currently, which do not help victims recover their files, making it essential to take preemptive steps to protect data from these infections.
