Fake WannaCry Ransomware Targeting Gamers

Researchers have spotted a phishing campaign targeting Russian-speaking players of Enlisted, a multiplayer first-person shooter.

The hackers used a fake website that closely resembles the official Enlisted webpage to distribute ransomware. Though the campaign is not attributed to any group, it is believed that the campaign is connected to the tussle between Russia and Ukraine

Enlisted is a freely available game that takes place during World War II and revolves around major battles fought across all war fronts. The game was published by Russia-founded company Gaijin Entertainment in 2021 and has between 500,000 and a million active monthly players.

Advertisements

The fake Enlisted website hosts a legitimate game installer and ransomware that mimics the infamous WannaCry crypto worm, created by the North Korean hacking group Lazarus.

WannaCry 3.0 is the name adopted and uses the .wncry file extension for encrypting files, although it is not a genuine variant of WannaCry. The malicious software distributed through Enlisted is a customized variant of open-source ransomware known as Crypter. It is designed for Windows systems and coded in Python.

The ransomware shows the ransom note in the form of a GUI application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate. The ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.

Threat actors frequently target popular games to reach a larger pool of potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.