CoderWare is a recent ransomware in the block that has been victimizing the gamer populace under the guise of a trending game called Cyberpunk 2077 through the Windows and Android platform. Distributing them as game installers, cheats, and cracks are the social tricks used to get users installing the malware. Here is one screenshot where a threat actor is baiting players gullible enough to install the “mobile version” Through a Youtube video:
On the 3rd week of December 2020, a malware analyst named Tatyana Shishkova found out about the Android ransomware disguised as a mobile version of the Cyberpunk 2077 game distributed through a fake website impersonating Google Play Store.
Malware analysis of Cyberpunk 2077 mobile ransomware
Through a Tweet, Shishkova mentioned that the ransomware uses a hardcoded key. Ransomware that utilizes a hardcoded key can be decrypted through reverse engineering to recover files for free.
Here is a screenshot of the source code:
Notice that the hardcoded key ‘21983453453435435738912738921’ in the above code. Through that, a decryptor can be made. The algorithm is identified as RC4.
Windows? The ransomware also targets windows users. The modus started in November where the discovery was made by MalwareHunterTeam. The ransomware spreads through a fake Windows Cyberpunk 2077 installer. The ransomware is a variant of the BlackKingdom ransomware, however similar to its Android counterpart, it calls itself CoderWare. In this Windows version, a python compiled executable was utilized to encrypt a victim’s files and append the .DEMON extension to files successfully encrypted. According to the malware analysts, decryption for the Windows variant may not be for free because it is unknown whether or not a hardcoded key was used this time.
Crack as ransomware is the perfect bait for windows users because some wish to play it for free. What they do not realize is the game itself is copyright protected. Tampering copyright-protected intellectual property is against the law, using a third party software to circumvent it exposes the user to malware infection. It might be too late to once a ransomware victim realizes this mistake. Most users who use crack circumvention to play a game for free believe that they should not spend money to buy data or pixels. Some of which only want to save money, therefore piracy becomes their only option. Ransomware groups and authors do not whitelist targets. Those who resort to piracy are one of the best targets. Instead of saving money through piracy, the victims will lose their data once the ransomware encryption is through, what is worse is the payment demanded to perform decryption. Another risk is not all threat actors live through their words. There are known ransomware cases where the victim paid for decryption, but in the end, nothing happened.
What can you do to protect your intellectual property from being used as a ransomware spread vector?
Security over the internet monitoring team such as iZOOlogic can help detect, monitor and takedown copyright and trademark protected contents that are maliciously being masqueraded and distributed to spread malicious activities. Without a threat intelligence team to crawl through the internet to proactively find these threats and malevolent activities, you will never know that your brand might be the next medium of threat actors to successfully install their malware on their victims.