Recently, Cyble discovered a phishing campaign aimed at Russian-speaking gamers, with the primary objective of spreading ransomware. The threat actors have utilized deceptive phishing pages to closely resemble the official website of Enlisted Game.

Enlisted, the squad-based multiplayer tactical first-person shooter game was created by Darkflow Software and published by Gaijin Entertainment. It offers players an immersive experience set against the backdrop of World War II, with a focus on the major battles fought across all fronts of the war.

Diving into details

The phishing campaign includes ransomware bundled with the game installer, posing as a return of WannaCry.
The ransomware, based on the open-source 'Crypter' Python locker, creates a mutex to prevent multiple instances on the infected computer. 
  • It utilizes a JSON configuration file to determine targeted file types, skipped directories, ransom note content, wallet address for ransom payments, and other attack parameters.
  • The encryption process employs the AES-256 algorithm, appending the ".wncry" extension to locked files. While the ransomware doesn't terminate processes or stop services, it does delete shadow copies to hinder data restoration.
  • Upon completion, a ransom note appears on a dedicated GUI app, providing victims with a three-day window to respond to the demands.

Keep an eye out for these threats too 

  • The Cl0p ransomware group started capitalizing on the MOVEit Transfer zero-day bug. The group started exploiting the vulnerability on May 27 and recently, threatened to leak the victim names on its leak site if a ransom isn’t paid. 
  • A new ransomware family called BlackSuit has been discovered that can target both Windows and Linux users. The ransomware shares many similarities with the notorious Royal ransomware, suggesting that it may be a new affiliate or the reuse of Royal's source code.

The bottom line

While the WannaCry impersonator operation lacks a leak site or dedicated chat link, it utilizes a Telegram bot for ransom-related communication. The motive behind its creation is speculated to be influenced by the ongoing Russia-Ukraine conflict. To protect against such threats, it is advised to implement regular backup practices and store backups offline or in a separate network. Additionally, enabling automatic software updates on all connected devices, using reputable anti-virus, and exercising caution when opening untrusted links and email attachments are essential measures to enhance cybersecurity.
Cyware Publisher

Publisher

Cyware