New Pokemon Go Ransomware discovered, industry experts comment

A new ransomware sample poses as a version of Pokémon Go for Windows. These features include a backdoor Windows account, spreading the executable to other drives, and creating network shares.

IT security experts from Lieberman Software, ESET and Tripwire discuss the ransomware:

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Is there anything different/interesting about this ransomware?
“This Hidden-Tear ransomware is either the cutting edge or class clown of the malware world. Generally, ransomware is built to extract money and leave no traces. Hidden-Tear behaves like a malware hybrid that encrypts files and asks for ransom, but all attempts to spread in ways normally associated with a virus. Maybe that’s the start of something new and dangerous. But it’s equally likely this is the work of someone who is taking ideas from all over without really understanding their implications. Anyone who has used software has run into features added where they can’t imagine what the developer was thinking. Hidden-Tear may be a malware developer throwing in features just because it’s possible versus because it’s a good idea.”

What can users do to protect themselves?
“One thing Hidden-Tear does well is try to play on people’s desires. Malware always needs an angle to get you to click, and few things capture the spirit of the day like Pokémon Go. With many Arab countries moving to ban or limit the game, a malware that offers people a way to perhaps play despite the government interference is click bait that’s sure to trap some. People need to use what should be common sense here – in the case realizing that a mobile app appearing on their PC is *actually* too good to be true.”

How successful can this ransomware be?
“If we’re going to measure Hidden-Tear as ransomware, then its success should be measured in cash. It’s likely not got the same professional approach as many eastern European ransomware operations, which often boast legitimate call centers and oddly get high marks from victims on customer service. Without this high grade money collection system, is unlikely it will grab any huge amount of cash unless the creator gets very lucky.”

Mark James, Security Specialist at ESET:

“As with most projects or events that generate so much interest in the IT world, it’s inevitable that malware will soon follow, often tailored to help, mimic or guide you. The whole PokemonGo phenomenon was of course going to be no different; people will want to play it on all platforms, IOS, Android and their desktop systems. This particular piece of malware is a little different though, it not only wants to infect you with ransomware, it appears to have a hidden agenda, most ransomware deletes itself once the job is done, but this particular piece of malware goes a little further by installing a hidden user account with admin privileges, that could enable someone at a later date to remotely connect back to the infected computer and perform other malicious tasks.

It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries. Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose. Ransomware these days is a very real threat and having a good backup solution will enable you to restore your data easily and quickly and not succumb to funding criminal activity by paying the ransom.”

Travis Smith, Senior Security Research Engineer at Tripwire discusses:

“Fans of the Pokemon Go game are eager to catch them all, but must be weary of catching malware.  While the malware is not fully production code, it highlights the intent of some malware creators to capitalize on the Pokemon Go craze.  Users looking for Pokemon should be wary of any third party applications or services looking to assist your search. 

The fact that the malware is creating users is a new ransomware development.  It’s unclear if the intent is to maintain persistence or be an indicator to avoid multiple infections of the same box.  Either way, it’s clear the ransomware is looking to spread itself to network shares and removable drives to both spread infection and potentially cripple backups; the primary recovery method for ransomware.”