Russian Gamers WannaCry Imitator

Threat Actor Targets Russian Gaming Community With WannaCry-Imitator

Phishing Gaming Site Opens the Door to Ransomware Infection

Gaming has gained immense popularity, attracting millions of players globally, primarily due to the wide range of game options available, strong community engagement, and its entertainment value. Unfortunately, this widespread appeal has also attracted the attention of Threat Actors (TAs), who seek to exploit gamers by targeting games with large user bases to maximize their potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring phishing campaigns that utilize gaming sites as a distribution channel for various malware families. Recently, CRIL uncovered a phishing campaign targeting Russian-speaking gamers intending to distribute ransomware. The TAs behind these malicious campaigns have employed phishing pages designed to closely resemble the legitimate Enlisted Game website.

Enlisted, a squad-based multiplayer tactical first-person shooter game was developed by Darkflow Software and published by Gaijin Entertainment. This free-to-play game takes place in the backdrop of World War II and focuses on the significant battles fought on all fronts of the war.

The figure below shows the Fake Russian Language game “Enlisted” ‘s website.

Figure 1 – Phishing page downloading malicious Enlisted Game Installer

The fake website hosts an installer file that contains a legitimate game installer and ransomware. The ransomware has adopted the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a genuine variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python. The Crypter code is hosted on a GitHub repository created by a user named ‘@sithis993’.

The figure below shows the GitHub Repository of Crypter Ransomware Builder.

Figure 2 – GitHub Repository of Open Source Crypter Ransomware Builder

Technical details

In this technical analysis, we analyzed an installer sample named “enlisted_beta-v1.0.3.115.exe” with SHA265 as “c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2”, downloaded from a phishing site “hxxp://testsite-beta-ne[.]1gb[.]ru/”.

The figure below shows the installer file details.

Figure 3 – File Details of the Installer File

When a user runs the “enlisted_beta-v1.0.3.115.exe” file, it shows an installation wizard to install the game, as shown in the figure below.

Figure 4 – Enlisted Game Installer Window

The “enlisted_beta-v1.0.3.115.exe” installer file contains two executable files,  one is “ENLIST~1.EXE”, which is a legitimate Enlisted Game installer, and the ransomware executable “enlisted.exe”. In the background, the installer drops both files in the “C:\Users\<user>\AppData\Local\Temp\IXP000.TMP”.

The figure below shows the files dropped by the installer.

Figure 5 – The Files Dropped by the Installer

WannaCry 3.0 Crypter

The WannaCry 3.0 Crypter is a 64-bit PyInstaller executable with SHA256 as “c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce”.

The figure below shows the details of the ransomware executable.

Figure 6 – WannaCry 3.0 Ransomware File Details

Upon execution of “enlisted.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.

Figure 7 – Extracted Files of PyInstaller Executable

The “” file is the entry point for the ransomware. This file has two functions, one to create a mutex or check for an existing one and the other to initiate further ransomware activities.

The figure below shows the code to check mutex and start ransomware activities.

Figure 8 – Ransomware Entry Point

When executing the ransomware, it tries to create a mutex with the name “mutex_rr_windows” in the system. The ransomware uses the win32event.CreateMutex() function to create the mutex. If the Mutex already exists, the function returns the error ‘ERROR_ALREADY_EXISTS’, and an exception is raised using MutexAlreadyAcquired(). If no mutex exists, then the win32event.CreateMutex() function creates the mutex and returns the mutex object.

The figure below shows the code to create and check the mutex.

Figure 9 – Ransomware Code To Create Mutex

Once the mutex is checked, the ransomware retrieves its configuration settings from a file “runtime.cfg”, which is a JSON file.

The figure below shows the code to load the ransomware config file.

Figure 10 – Ransomware Code to Load Configuration File

The “runtime.cfg” file contains various parameters, including a ransom note and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration:

  • maj_version
  • min_version
  • gui_title
  • encrypt_attached_drives
  • encrypt_user_home
  • encrypted_file_extension
  • disable_task_manager
  • open_gui_on_login
  • time_delay
  • wallet_address
  • bitcoin_fee
  • key_destruction_time
  • max_file_size_to_encrypt
  • filetypes_to_encrypt
  • ransom_message
  • make_gui_resizeable
  • always_on_top
  • background_colour
  • heading_font_colour
  • primary_font_colour
  • secondary_font_colour
  • delete_shadow_copies

The figure below shows the configuration details of the ransomware.

Figure 11 – Ransomware Configuration File

Additional to loading the configuration file, the ransomware adds 2 files in the C:\Users\<user>\AppData\Roaming folder, “enc_test.txt” and “encrypted_files.txt”. As the name suggests, the “enc_test.txt” file is a text file to test if the data is getting encrypted, and the “encrypted_files.txt” contains the list of files encrypted by the ransomware.

The figure below shows the dropped files.

Figure 12 – Test File Created by Ransomware

Next, the ransomware checks the “encrypted_file_list.txt”. If the file is empty, the ransomware sleeps for the time mentioned in the config file. In this config file, the delay is 0; hence the ransomware will not delay the operation.

Subsequently, the ransomware conducts checks to determine whether the task manager should be disabled and whether the ransomware needs to be added to the startup programs. In the case of the WannaCry 3.0 ransomware, both of these settings are disabled.

The figure below shows the code to sleep, check for disabling task manager, and startup entry.

Figure 13 – Ransomware Checking Various Operations

Now ransomware initializes the encryption keys to encrypt the files in the system. First, ransomware checks for the “key.txt” file present in the working directory. If the key file is present, then it uses the key. If the key file is absent, the ransomware generates the keys and stores them in the current working directory in the new “key.txt” file.

The figure below shows the key loading and key generation code.

Figure 14 – Ransomware Initializing Encryption Keys

Afterward, the ransomware creates a list of files to be encrypted by the malware. For this reason, the ransomware checks the system to find files to encrypt and create a list of files with full path names. The ransomware has whitelisted files to ignore from encryption and a list of extensions to be targeted for encryption, presented in the configuration file. The ransomware ignores three files from encryption WNCRY_PUBLIC_KEY_1.txt, WNCRY_PUBLIC_KEY_2.txt, and WNCRY_README.txt present at the “C:\Users\Public” location.

The figure below shows the file enumeration for encryption.

Figure 15 – Ransomware Listing Files to be Encrypted

The ransomware proceeds to encrypt the files from the generated list, utilizing the AES encryption algorithm. Once the files are encrypted, the ransomware adds a “wncry” extension at the end of the encrypted filename.

The figure below shows the code to encrypt the files.

Figure 16 – Ransomware Code to Encrypt Files

Unlike other ransomware variants, WannaCry 3.0 ransomware does not terminate processes or stop services. This ransomware only deletes shadow copies from the system using the task scheduler.

The ransomware creates a task scheduler entry named “updater47” and adds the command vssadmin Delete Shadows /All /Quiet to the task. The task is executed just after the creation to delete the shadowcopies.

The figure below shows the task created by the ransomware.

Figure 17 – Ransomware Deleting ShadowCopies

Once the shadowcopy files are deleted, the ransomware starts a cleanup procedure in the system where it deletes the encrypted file list, deletes registry entries (if created), and re-enables the task manager(if disabled).

The figure below shows the code for cleaning up the files and registry.

Figure 18 – Ransomware Cleaningup The System After Encryption

Next, the ransomware shows the ransom note in the form of a Graphical User Interface (GUI) application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate with the TAs. Additionally, the ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.

The figure below shows the GUI applications executed by ransomware after encryption.

Figure 19 – Ransomware Executing GUI-Based Ransom Note

Finally, the ransomware changes the desktop background image to show additional information, as shown in the figure below.

Figure 20 – Desktop Background Changed by Ransomware


WannaCry 3.0 Ransomware is a modified version of an open-source Python-based Crypter ransomware that targets Russian-speaking gamers. The ransomware operation is simple and does not have any leak site or dedicated chat link, but it utilizes a Telegram bot for ransom-related communication.

Given the targeted user base, there is speculation that the motivation behind its creation could be influenced by the ongoing Russia-Ukraine conflict.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network
  • Disconnect external storage devices if connected
  • Inspect system logs for suspicious events

Impact of Ransomware

  • Loss of valuable data
  • Loss of the organization’s reputation and integrity
  • Loss of the organization’s sensitive business information
  • Disruption in organization operation
  • Financial loss

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial AccessT1566Phishing
ExecutionT1204User Execution
DiscoveryT1083File and Directory Discovery
Defense EvasionT1070
Indicator Removal
Impair Defenses
Data encrypted for impact
Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators Indicator  
hxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exeURLDownload URL
hxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exeURLDownload URL

Comments are closed.

Scroll to Top