Pokemon GO Ransomware

The Pokemon GO Ransomware is a threat infection that takes over a computer and installs a backdoor. A backdoor is a simply term for access into the affected computer. Using a backdoor, third parties can have access to a computer automatically. To carry out its attack, the Pokemon GO Ransomware leverages the enormous success of the Niantic's mobile game, the Pokemon GO. The Pokemon GO Ransomware carries out two types of attacks, a basic encryption ransomware attack, which encrypts the victims' files to demand a ransom, and the creation of a backdoor to provide access to infected computers.

The Pokemon GO Ransomware is not Different from Other Ransomware Trojans

The Pokemon GO Ransomware was discovered recently in August of 2016, just a month after the Pokemon GO was officially released. It seems that the versions of the Pokemon GO Ransomware appearing in the wild are still in development, meaning that it is possible that the con artists are preparing for a worldwide distribution campaign involving full versions of their threat. The Pokemon GO Ransomware is delivered in a corrupted executable file named 'PokemonGo.exe' which uses an icon of the recognizable Pokemon Pikachu. When computer users click on the Pokemon GO Ransomware's executable file, it begins encrypting the victim's files. The Pokemon GO Ransomware is based on Hidden Tear, an open source encryption ransomware Trojan released in 2016. Like Hidden Tear, the Pokemon GO Ransomware contains an encryption backdoor.

After the Pokemon GO Ransomware finishes encrypting its victims' files, the Pokemon GO Ransomware creates and hides a Windows admin account named 'Hack3r' which allows fraudsters to access the infected computer. The Pokemon GO Ransomware copies itself to all drives detected on the victim's computer and changes the affected computer's settings to ensure that the Pokemon GO Ransomware runs automatically whenever Windows starts up. The Pokemon GO Ransomware is designed to operate in the background, copying itself to any removable drives or network drives connected to the infected computer.

This Version of the Pokemon GO Ransomware may be Under Development

It is very likely that the Pokemon GO Ransomware is in its testing phase. One of the main reasons why researchers believe this, is that the Pokemon GO Ransomware is using a static encryption key currently, '123vivalalgerie.' The Pokemon GO Ransomware also attempts to connect to a private IP address, which would only be accessible from a routed network rather than from the Internet. As of now, the Pokemon GO Ransomware's ransom note and lock screen are written in Arabic. Combining this knowledge with the static encryption key, which mentions Algeria and is in French, it is possible to conclude that the people responsible for the Pokemon GO Ransomware are from, or related to, this part of the world.

Dealing Now and in the Future with the Pokemon GO Ransomware

If the full version of the Pokemon GO Ransomware is released, including the Pokemon GO and Pikachu in their content, it is possible to identify it as the Pokemon GO Ransomware through the ransom note. The Pokemon GO Ransomware has been linked to the email address 'blackhat20152015@gmail.com.' One fortunate characteristic of the Pokemon GO Ransomware is that it is based on Hidden Tear. Currently, there is a decryption utility available for victims of Hidden Tear, which should, in theory, help computer users to recover from a Pokemon GO Ransomware infection.

Con artists may take advantage of the popularity of new games, news stories, or world events to distribute threats. The Pokemon GO has been a worldwide phenomenon, and it is not surprising that the con artists are starting to take advantage of this by offering fake versions of the game, bogus guides news and cheating applications. Security analysts advise computer users to exercise caution when dealing with these programs since they may be used to distribute threats such as the Pokemon GO Ransomware.