Phishing Gaming Site Opens the Door to Ransomware Infection
Gaming has gained immense popularity, attracting millions of players globally, primarily due to the wide range of game options available, strong community engagement, and its entertainment value. Unfortunately, this widespread appeal has also attracted the attention of Threat Actors (TAs), who seek to exploit gamers by targeting games with large user bases to maximize their potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring phishing campaigns that utilize gaming sites as a distribution channel for various malware families. Recently, CRIL uncovered a phishing campaign targeting Russian-speaking gamers intending to distribute ransomware. The TAs behind these malicious campaigns have employed phishing pages designed to closely resemble the legitimate Enlisted Game website.
Enlisted, a squad-based multiplayer tactical first-person shooter game was developed by Darkflow Software and published by Gaijin Entertainment. This free-to-play game takes place in the backdrop of World War II and focuses on the significant battles fought on all fronts of the war.
The figure below shows the Fake Russian Language game “Enlisted” ‘s website.
The fake website hosts an installer file that contains a legitimate game installer and ransomware. The ransomware has adopted the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a genuine variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python. The Crypter code is hosted on a GitHub repository created by a user named ‘@sithis993’.
The figure below shows the GitHub Repository of Crypter Ransomware Builder.
In this technical analysis, we analyzed an installer sample named “enlisted_beta-v188.8.131.52.exe” with SHA265 as “c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2”, downloaded from a phishing site “hxxp://testsite-beta-ne[.]1gb[.]ru/”.
The figure below shows the installer file details.
When a user runs the “enlisted_beta-v184.108.40.206.exe” file, it shows an installation wizard to install the game, as shown in the figure below.
The “enlisted_beta-v220.127.116.11.exe” installer file contains two executable files, one is “ENLIST~1.EXE”, which is a legitimate Enlisted Game installer, and the ransomware executable “enlisted.exe”. In the background, the installer drops both files in the “C:\Users\<user>\AppData\Local\Temp\IXP000.TMP”.
The figure below shows the files dropped by the installer.
WannaCry 3.0 Crypter
The WannaCry 3.0 Crypter is a 64-bit PyInstaller executable with SHA256 as “c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce”.
The figure below shows the details of the ransomware executable.
Upon execution of “enlisted.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.
The “Main.py” file is the entry point for the ransomware. This file has two functions, one to create a mutex or check for an existing one and the other to initiate further ransomware activities.
The figure below shows the code to check mutex and start ransomware activities.
When executing the ransomware, it tries to create a mutex with the name “mutex_rr_windows” in the system. The ransomware uses the win32event.CreateMutex() function to create the mutex. If the Mutex already exists, the function returns the error ‘ERROR_ALREADY_EXISTS’, and an exception is raised using MutexAlreadyAcquired(). If no mutex exists, then the win32event.CreateMutex() function creates the mutex and returns the mutex object.
The figure below shows the code to create and check the mutex.
Once the mutex is checked, the ransomware retrieves its configuration settings from a file “runtime.cfg”, which is a JSON file.
The figure below shows the code to load the ransomware config file.
The “runtime.cfg” file contains various parameters, including a ransom note and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration:
The figure below shows the configuration details of the ransomware.
Additional to loading the configuration file, the ransomware adds 2 files in the C:\Users\<user>\AppData\Roaming folder, “enc_test.txt” and “encrypted_files.txt”. As the name suggests, the “enc_test.txt” file is a text file to test if the data is getting encrypted, and the “encrypted_files.txt” contains the list of files encrypted by the ransomware.
The figure below shows the dropped files.
Next, the ransomware checks the “encrypted_file_list.txt”. If the file is empty, the ransomware sleeps for the time mentioned in the config file. In this config file, the delay is 0; hence the ransomware will not delay the operation.
Subsequently, the ransomware conducts checks to determine whether the task manager should be disabled and whether the ransomware needs to be added to the startup programs. In the case of the WannaCry 3.0 ransomware, both of these settings are disabled.
The figure below shows the code to sleep, check for disabling task manager, and startup entry.
Now ransomware initializes the encryption keys to encrypt the files in the system. First, ransomware checks for the “key.txt” file present in the working directory. If the key file is present, then it uses the key. If the key file is absent, the ransomware generates the keys and stores them in the current working directory in the new “key.txt” file.
The figure below shows the key loading and key generation code.
Afterward, the ransomware creates a list of files to be encrypted by the malware. For this reason, the ransomware checks the system to find files to encrypt and create a list of files with full path names. The ransomware has whitelisted files to ignore from encryption and a list of extensions to be targeted for encryption, presented in the configuration file. The ransomware ignores three files from encryption WNCRY_PUBLIC_KEY_1.txt, WNCRY_PUBLIC_KEY_2.txt, and WNCRY_README.txt present at the “C:\Users\Public” location.
The figure below shows the file enumeration for encryption.
The ransomware proceeds to encrypt the files from the generated list, utilizing the AES encryption algorithm. Once the files are encrypted, the ransomware adds a “wncry” extension at the end of the encrypted filename.
The figure below shows the code to encrypt the files.
Unlike other ransomware variants, WannaCry 3.0 ransomware does not terminate processes or stop services. This ransomware only deletes shadow copies from the system using the task scheduler.
The ransomware creates a task scheduler entry named “updater47” and adds the command vssadmin Delete Shadows /All /Quiet to the task. The task is executed just after the creation to delete the shadowcopies.
The figure below shows the task created by the ransomware.
Once the shadowcopy files are deleted, the ransomware starts a cleanup procedure in the system where it deletes the encrypted file list, deletes registry entries (if created), and re-enables the task manager(if disabled).
The figure below shows the code for cleaning up the files and registry.
Next, the ransomware shows the ransom note in the form of a Graphical User Interface (GUI) application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate with the TAs. Additionally, the ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.
The figure below shows the GUI applications executed by ransomware after encryption.
Finally, the ransomware changes the desktop background image to show additional information, as shown in the figure below.
WannaCry 3.0 Ransomware is a modified version of an open-source Python-based Crypter ransomware that targets Russian-speaking gamers. The ransomware operation is simple and does not have any leak site or dedicated chat link, but it utilizes a Telegram bot for ransom-related communication.
Given the targeted user base, there is speculation that the motivation behind its creation could be influenced by the ongoing Russia-Ukraine conflict.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Discovery||T1083||File and Directory Discovery|
|Defense Evasion||T1070 |
|Indicator Removal |
|Data encrypted for impact |
Inhibit System Recovery
Indicators of Compromise (IOCs)