Phishing Gaming Site Opens the Door to Ransomware Infection
Gaming has gained immense popularity, attracting millions of players globally, primarily due to the wide range of game options available, strong community engagement, and its entertainment value. Unfortunately, this widespread appeal has also attracted the attention of Threat Actors (TAs), who seek to exploit gamers by targeting games with large user bases to maximize their potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring phishing campaigns that utilize gaming sites as a distribution channel for various malware families. Recently, CRIL uncovered a phishing campaign targeting Russian-speaking gamers intending to distribute ransomware. The TAs behind these malicious campaigns have employed phishing pages designed to closely resemble the legitimate Enlisted Game website.
Enlisted, a squad-based multiplayer tactical first-person shooter game was developed by Darkflow Software and published by Gaijin Entertainment. This free-to-play game takes place in the backdrop of World War II and focuses on the significant battles fought on all fronts of the war.
The figure below shows the Fake Russian Language game “Enlisted” ‘s website.
The fake website hosts an installer file that contains a legitimate game installer and ransomware. The ransomware has adopted the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a genuine variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python. The Crypter code is hosted on a GitHub repository created by a user named ‘@sithis993’.
The figure below shows the GitHub Repository of Crypter Ransomware Builder.
Technical details
In this technical analysis, we analyzed an installer sample named “enlisted_beta-v1.0.3.115.exe” with SHA265 as “c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2”, downloaded from a phishing site “hxxp://testsite-beta-ne[.]1gb[.]ru/”.
The figure below shows the installer file details.
When a user runs the “enlisted_beta-v1.0.3.115.exe” file, it shows an installation wizard to install the game, as shown in the figure below.
The “enlisted_beta-v1.0.3.115.exe” installer file contains two executable files, one is “ENLIST~1.EXE”, which is a legitimate Enlisted Game installer, and the ransomware executable “enlisted.exe”. In the background, the installer drops both files in the “C:Users<user>AppDataLocalTempIXP000.TMP”.
The figure below shows the files dropped by the installer.
WannaCry 3.0 Crypter
The WannaCry 3.0 Crypter is a 64-bit PyInstaller executable with SHA256 as “c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce”.
The figure below shows the details of the ransomware executable.
Upon execution of “enlisted.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.
The “Main.py” file is the entry point for the ransomware. This file has two functions, one to create a mutex or check for an existing one and the other to initiate further ransomware activities.
The figure below shows the code to check mutex and start ransomware activities.
When executing the ransomware, it tries to create a mutex with the name “mutex_rr_windows” in the system. The ransomware uses the win32event.CreateMutex() function to create the mutex. If the Mutex already exists, the function returns the error ‘ERROR_ALREADY_EXISTS’, and an exception is raised using MutexAlreadyAcquired(). If no mutex exists, then the win32event.CreateMutex() function creates the mutex and returns the mutex object.
The figure below shows the code to create and check the mutex.
Once the mutex is checked, the ransomware retrieves its configuration settings from a file “runtime.cfg”, which is a JSON file.
The figure below shows the code to load the ransomware config file.
The “runtime.cfg” file contains various parameters, including a ransom note and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration:
- maj_version
- min_version
- gui_title
- encrypt_attached_drives
- encrypt_user_home
- encrypted_file_extension
- disable_task_manager
- open_gui_on_login
- time_delay
- wallet_address
- bitcoin_fee
- key_destruction_time
- max_file_size_to_encrypt
- filetypes_to_encrypt
- ransom_message
- make_gui_resizeable
- always_on_top
- background_colour
- heading_font_colour
- primary_font_colour
- secondary_font_colour
- delete_shadow_copies
The figure below shows the configuration details of the ransomware.
Additional to loading the configuration file, the ransomware adds 2 files in the C:Users<user>AppDataRoaming folder, “enc_test.txt” and “encrypted_files.txt”. As the name suggests, the “enc_test.txt” file is a text file to test if the data is getting encrypted, and the “encrypted_files.txt” contains the list of files encrypted by the ransomware.
The figure below shows the dropped files.
Next, the ransomware checks the “encrypted_file_list.txt”. If the file is empty, the ransomware sleeps for the time mentioned in the config file. In this config file, the delay is 0; hence the ransomware will not delay the operation.
Subsequently, the ransomware conducts checks to determine whether the task manager should be disabled and whether the ransomware needs to be added to the startup programs. In the case of the WannaCry 3.0 ransomware, both of these settings are disabled.
The figure below shows the code to sleep, check for disabling task manager, and startup entry.
Now ransomware initializes the encryption keys to encrypt the files in the system. First, ransomware checks for the “key.txt” file present in the working directory. If the key file is present, then it uses the key. If the key file is absent, the ransomware generates the keys and stores them in the current working directory in the new “key.txt” file.
The figure below shows the key loading and key generation code.
Afterward, the ransomware creates a list of files to be encrypted by the malware. For this reason, the ransomware checks the system to find files to encrypt and create a list of files with full path names. The ransomware has whitelisted files to ignore from encryption and a list of extensions to be targeted for encryption, presented in the configuration file. The ransomware ignores three files from encryption WNCRY_PUBLIC_KEY_1.txt, WNCRY_PUBLIC_KEY_2.txt, and WNCRY_README.txt present at the “C:UsersPublic” location.
The figure below shows the file enumeration for encryption.
The ransomware proceeds to encrypt the files from the generated list, utilizing the AES encryption algorithm. Once the files are encrypted, the ransomware adds a “wncry” extension at the end of the encrypted filename.
The figure below shows the code to encrypt the files.
Unlike other ransomware variants, WannaCry 3.0 ransomware does not terminate processes or stop services. This ransomware only deletes shadow copies from the system using the task scheduler.
The ransomware creates a task scheduler entry named “updater47” and adds the command vssadmin Delete Shadows /All /Quiet to the task. The task is executed just after the creation to delete the shadowcopies.
The figure below shows the task created by the ransomware.
Once the shadowcopy files are deleted, the ransomware starts a cleanup procedure in the system where it deletes the encrypted file list, deletes registry entries (if created), and re-enables the task manager(if disabled).
The figure below shows the code for cleaning up the files and registry.
Next, the ransomware shows the ransom note in the form of a Graphical User Interface (GUI) application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate with the TAs. Additionally, the ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.
The figure below shows the GUI applications executed by ransomware after encryption.
Finally, the ransomware changes the desktop background image to show additional information, as shown in the figure below.
Conclusion
WannaCry 3.0 Ransomware is a modified version of an open-source Python-based Crypter ransomware that targets Russian-speaking gamers. The ransomware operation is simple and does not have any leak site or dedicated chat link, but it utilizes a Telegram bot for ransom-related communication.
Given the targeted user base, there is speculation that the motivation behind its creation could be influenced by the ongoing Russia-Ukraine conflict.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access | T1566 | Phishing |
Execution | T1204 | User Execution |
Discovery | T1083 | File and Directory Discovery |
Defense Evasion | T1070 T1562 |
Indicator Removal Impair Defenses |
Impact | T1486 T1490 |
Data encrypted for impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
Indicators | Indicator Type |
Description |
65fdd5e706d45e8bb83bc13311fb4da4 6515911679fdb3d6267ab44b67415dc32e587440 c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2 |
MD5 SHA1 SHA256 |
enlisted_beta-v1.0.3.115.exe |
77873f29f166fd64350be2a1391ce9f9 dfaab002eca691708228846e0d16905290031d48 c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce |
MD5 SHA1 SHA256 |
enlisted.exe |
a6c971ab47c13b513af07d6dc3b06e8e aa86ba02efd41f624b51956311b8759711a207ab 3741580d662ba528004695bf6441fc03e6e195c8d599ea7cbb8a8c4ec59efef4 |
MD5 SHA1 SHA256 |
enlisted.exe |
55fac3a480c154fd5f2344992db4c5b0 31278826e062d0a8b4ffe52caf1aa5c2804f3441 444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790 |
MD5 SHA1 SHA256 |
enlisted.exe |
84c613a151449be56b5afb0291fc0cca 9b43fdfd6ddb70a7418158c33d4c9a41f341a4e2 51aeac86371a1dafe7601b40a1b897f1c5c62ed6aa6fcdb3fe39e6ebf480763f |
MD5 SHA1 SHA256 |
enlisted.exe |
66742054e5ba484ef06d7cc2b52bd6c3 0dc36a78cb251f6272991d541b7dffb438e2eb36 dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005 |
MD5 SHA1 SHA256 |
enlisted.exe |
hxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exe | URL | Download URL |
hxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exe | URL | Download URL |