December 9, 2023

A new variant of the Chaos ransomware that appears to target Minecraft gamers in Japan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data.

Gamers create alternative accounts within Minecraft for various purposes they allow them to troll other players without having their main account banned, they provide cover for an alternative in-game identity they help avoid getting their main account banned for using cheats. This variant of Chaos ransomware being hidden in a file pretending to contain a list of “Minecraft Alt” accounts that leads us to believe that the effort is to target Minecraft gamers in Japan.


Though they are often publicly available through Minecraft online forums, Alt Lists contain stolen accounts that gamers can use to do the things listed above. That’s what the threat actors behind this ransomware attack are using to lure victims to download and open the file.

The file is an executable, but it uses a text icon to fool potential victims into thinking it is a text file full of compromised usernames and passwords for Minecraft.

Once the executable file is opened, the malware searches for files smaller than 2,117,152 bytes on the compromised machine and encrypts them. It then appends those files with four random characters chosen from “abcdefghijklmnopqrstuvwxyz1234567890” as a file extension.

Files larger than 2,117,152 bytes with specified file extensions are filled with random bytes so the victim will not be able to get those files back even if the ransom is paid.

A dropped ReadMe.txt files ask the victim to pay a ransom in either bitcoin or pre-paid cards. The requested amount to decrypt the files is equal to 2,000 yen, which is dirt cheap compared to the amounts other ransomware attacks typically demand.This,with the formal language of the ransom note, indicates this Chaos ransomware variant specifically targets Japanese Windows users.

The ransomware also deletes shadow copies from the compromised machine, which prevents the victim from being able to recover any files that had been encrypted, making it doubly destructive.Chaos ransomware variant does not have any code to steal data from the compromised machine.

The malware also changes the desktop wallpaper, perhaps to add more pressure to the victim to pay the ransom. There is nothing fancy about this Chaos ransomware variant nor its infection vector. Its ability to destroy data and render it unrecoverable makes it more than a mere prank to annoy Japanese Minecraft gamers.


Indicators of Compromise

  • 1a00c3f9173ee4c6f944e2dcebe44ca71f06455951728af06eba0f945e084907
  • aacce549a756cd942ee79f57625d0902ce79315f4e4bfb1381afa208599d7be5
  • 56f8c3248cf2b5adcc81cc2c6289404db56a49d940d195f7d6e3c2eaaf4738cf
  • hxxps:// URL
  • hxxps://

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.