Malware threats have long been a destructive force in the lives of computer users considering how much of an intricate part of everyday life the Internet has become for most people. However, computer security experts have noticed a relatively new trend of malware, one that involves a file-encrypting threat dubbed TeslaCrypt Ransomware where it is explicitly targeting PC video gamers.
The video gaming landscape is vast, and many video gamers, young and old, have the necessary resources that afford them the time and money to play games on dedicated gaming systems and robust gaming PCs, such as those from Alienware and Razer Blade. Unfortunately, the TeslaCrypt Ransomware threat, a particular type of malware that once targeted business computer users to encrypt files and hold them for a ransom fee, has moved on to greener pastures that reside with PC gamers.
TeslaCrypt Plays its Own Games
TeslaCrypt Ransomware first began its life in March of 2018 where it targeted many different file types, as many as 185 in total. Of those file types during its conception, TeslaCrypt managed to encrypt about 50 variations that accounted for gaming file types, which naturally put TeslaCrypt in the limelight among computer security researchers for its different approach to attacking a Windows-based computer.
TeslaCrypt has gained a newfound notoriety for ramping up its efforts to specifically target gaming systems by leveraging gaming files, which can be found in abundant numbers on gaming rigs like those from the PC makers of Alienware and Razer Blade, some of the most popular mainstream computer brands for PC video gamers. Such systems are built with powerful processing units and capable video cards but still may lack the necessary antimalware resources just like any other unprotected PC to shield them from emerging threats like TeslaCrypt.
Figure 1. Variation 1 of TeslaCrypt Ransomware Ransom Notification
Figure 2. Variation 2 of TeslsaCrypt Ransomware Ransom Notification
Figure 3. Variation 3 of TeslsaCrypt Ransomware Ransom Notification
Known file extensions affected by TeslaCrypt:
.7z, .map, .m2, .rb, .jpg, .rar, .wmo, .mcmeta, .png, .cdr, .m4a, .itm, .vfs0, .jpeg, .indd, .wma, .sb, .mpqge, .txt, .ai, .avi, .fos, .kdb, .p7c, .eps, .wmv, .mcgame, .db0, .p7b, .pdf, .csv, .vdf, .DayZProfile, .p12, .pdd, .d3dbsp, .ztmp, .rofl, .pfx, .psd, .sc2save, .sis, .hkx, .pem, .dbfv, .sie, .sid, .bar, .crt, .mdf, .sum, .ncf, .upk, .cer, .wb2, .ibank, .menu, .das, .der, .rtf, .t13, .layout, .iwi, .x3f, .wpd, .t12, .dmp, .litemod, .srw, .dxg, .qdf, .blob, .asset, .pef, .xf, .gdb, .esm, .forge, .ptx, .dwg, .tax, .001, .ltx, .r3d, .pst, .pkpass, .vtf, .bsa, .rw2, .accdb, .bc6, .dazip, .apk, .rwl, .mdb, .bc7, .fpk, .re4, .raw, .pptm, .bkp, .mlx, .sav, .raf, .pptx, .qic, .kf, .lbf, .orf, .ppt, .bkf, .iwd, .slm, .nrw, .xlk, .sidn, .vpk, .bik, .mrwref, .xlsb, .sidd, .tor, .epk, .mef, .xlsm, .mddata, .psk, .rgss3a, .erf, .xlsx, .itl, .rim, .pak, .kdc, .xls, .itdb, .w3x, .big, .dcr, .wps, .icxs, .fsh, .unity3d, .cr2, .docm, .hvpl, .ntl, .wotreplay, .crw, .docx, .hplg, .arch00, .xxx, .bay, .doc, .hkdb, .lvl, .desc, .sr2, .odb, .mdbackup, .snx, .py, .srf, .odc, .syncdb, .cfr, .m3u, .arw, .odm, .gho, .ff, .flv, .3fr, .odp, .cas, .vpp, _pc, .js, .dng, .ods, .svg, .lrf, .css, .jpe, .odt
Hackers behind TeslaCrypt refined the malware and old it on the clandestine market, or Dark Web, to other cybercriminals. However, researchers from Symantec and Bromium Labs noticed TeslaCrypt evolving to a point where it is now targeting more file types that are associated with video games. TeslaCrypt has several different variations of a ransom note, as demonstrated in the images above in Figures 1, 2, and 3. Some of the ransom note variations act as Windows desktop wallpaper backgrounds, while others may display in a self-contained window or appear in a web page window.
One may ask as to the reason for such a change and researchers would conclude that it is because games are popular, and as we get closer to the holiday's gamers will gravitate towards discounted gaming titles in droves. Simply put, the PC video gaming world is vast, and hackers always look for a field full of pray that they can easily attack. As demonstrated in the 'Figure 3' chart below, games make up the most popular type of TeslaCrypt targeted files beating out images, documents, and other files by nearly 50%.55Saturn$
Figure 4. Chart: TeslaCrypt Targeted Files Types - Source: Bromium Labs
Specific Games Targeted by TeslaCrypt
Among the specific titles that TeslaCrypt hackers are targeting, the majority are single-user games, such as Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Assassin's Creed, WarCraft 3, Star Wars: The Knights Of The Old Republic, Bioshock 2, and Saint Rows 2. The online games targeted by TeslaCrypt range from World of Warcraft to World of Tanks, while the gaming software, Steam and game development software RPG Maker, Unreal Engine, and Unity3D are applications being actively targeted by TeslaCrypt.
The encryption of the games and gaming software noted above are many of the prime examples that the TeslaCrypt Ransomware utilizes as a leveraging tool to demand as much as $1,000 from each victimized gamer. The ransom note, which is eerily similar to older ransomware threats like CryptoLocker where the notification acts as desktop wallpaper and advises the user of their only actions in paying a substantial ransom via two PayPal My Cash Cards. According to the L.A. Times and sourced from Symantec, cryptoransomware threats made a resurgence in 2013 through 2015 after somewhat of a hiatus from their decline in 2006 to become the majority percentage of new families of misleading apps, fake AV programs, locker ransomware, and crypto ransomware as shown in the Figure 5 chart below.
Figure 5. Percentage of new malware families including misleading apps, fake AV, lockers, and cryptoransomware - Source: Symantec
According to the cybersecurity firm StormShield, regions like Korea, Turkey, Italy, and Taiwan were inundated with TeslaCrypt during 2016 as shown in the Figure 6 chart below. Other countries known for malware infiltration on a mass scale, such as the United States and China, had only a 6% and 5% infection rate respectively. It's possible that the latest data on TeslaCrypt may reveal a shift from what we have seen in the past, considering the fact that China and the United States are the top two countries that spend the most on video games, according to a Statista. Naturally, hackers behind TeslaCrypt will gravitate towards the money.
Figure 6. TeslaCrypt infection rates by country - Source: StormShield.com
The dire consequences of TeslaCrypt are that several files on the affected computer are left encrypted and cannot be accessed. Currently, as a customary suggestion, those victimized by TeslaCrypt should never pay the ransom. However, such advice may be easy to dish out from others who do not have their personal files or gaming files that may include saved gaming data encrypted. The best action to take is the action beforehand, or before TeslaCrypt can slip onto one's system through a spam email attachment. Moreover, always backing up your system is the best preventative measure one can take. If ever a system is overtaken by TeslaCrypt and the user has backed up their files, they can easily and quickly restore the files once the malware is removed from the affected computer.