Chaos Ransomware Variant in Fake Minecraft Alt List

Minecraft is one of the most popular digital games in the world.
It was originally released in May 2009 by Swedish game developer Mojang Studios, which was acquired by Microsoft in 2014 for US $2.5 billon.
Initially released for the Windows, Mac, and Linux platforms, the game is now available on 22 platforms including video game consoles and mobile devices, including Android and iOS.
As its gaming population has steadily grown, reaching more than 140 million monthly active players in August 2021, Minecraft has never been more popular 12 years after its initial release.
Evidently, cybercriminals cannot pass up the opportunity to target such a large userbase.

Ransomware Lure Being Posted to Japanese Minecraft Forums
Gamers create “alt” (alternative) accounts within Minecraft for various purposes (both good and bad): they allow them to antagonize/troll other players without having their main account banned, they provide cover for an alternative in-game identity/personality, they help avoid getting their main account banned for using cheats (gaining an unfair advantage over other gamers), etc.
FortiGuard Labs has discovered a variant of Chaos ransomware being hidden in a file pretending to contain a list of “Minecraft Alt” accounts that leads us to believe that the effort is to target Minecraft gamers in Japan.

Even though they are often publicly available through Minecraft online forums, Alt Lists contain stolen accounts that gamers can use to do the things listed above.
That’s what the threat actors behind this ransomware attack are using to lure victims to download and open the file.

In this case, the file is an executable, but it uses a text icon to fool potential victims into thinking it is a text file full of compromised usernames and passwords for Minecraft.
While we don’t know how this specific fake list is being distributed, it’s a safe guess that the file is being advertised on Minecraft forums for Japanese gamers.

Once the executable file is opened, the malware searches for files smaller than 2,117,152 bytes on the compromised machine and encrypts them.
It then appends those files with four random characters chosen from “abcdefghijklmnopqrstuvwxyz1234567890” as a file extension.

But files larger than 2,117,152 bytes with specified file extensions are filled with random bytes so the victim will not be able to get those files back even if the ransom is paid.
Having this destructive element changes this attack from a typical ransomware attack, and is a very troubling component.

It is not known why the malware authors have chosen these file size values or why they choose to encrypt some and destroy others.
But it is interesting to note that the Chaos malware was originally classified as a wiper malware with the ransomware component added later.

Once the attack takes place, a dropped ReadMe.txt files ask the victim to pay a ransom in either bitcoin or pre-paid cards.
The requested amount to decrypt the files is equal to 2,000 yen (approx. US $17), which is dirt cheap compared to the amounts other ransomware attacks typically demand.
The ransom note does not specify which type of pre-paid card the attacker wants.
All kinds of pre-paid cards (online shopping, gaming, music, mobile phone charge and online streaming services) are available in convenience stores.
Japan has more than 50,000 convenience store locations selling pre-paid cards and most are open 24/7.

The ransom note also states that the attacker is available only on Saturdays and apologizes for any inconvenience caused.
The malware does not include code to identify the language setting of the compromised machine and the ransom note is available in Japanese only.
This, combined with the formal language of the ransom note, indicates this Chaos ransomware variant specifically targets Japanese Windows users.

The ransomware also deletes shadow copies from the compromised machine, which prevents the victim from being able to recover any files that had been encrypted, making it doubly destructive.
FortiGuard Labs previously released a blog about shadow copy deletion carried out by ransomware.
Luckily this Chaos ransomware variant does not have any code to steal data from the compromised machine.

The malware also changes the desktop wallpaper, perhaps to add more pressure to the victim to pay the ransom.

There is nothing fancy about this Chaos ransomware variant nor its infection vector.
However, despite its cheap ransom demand, its ability to destroy data and render it unrecoverable makes it more than a mere prank to annoy Japanese Minecraft gamers.
Ransomware is still ransomware, and in this case, the victim may not be able to get their original files back, with or without making a ransom payment.
The best advice is for players to stay off suspicious gaming cheat sites and simply enjoy the game the way it was meant to be played.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 16, 2022

LockBit Ransomware Abuses Legitimate Windows Defender Utility

The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt...

Threats Icon

Aug 14, 2022

US Cert Alert – Zeppelin Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...