Pokemon Go Ransomware | Summary and Q&A
TL;DR
A new Pokemon Go-themed ransomware is targeting Windows systems, encrypting files and causing system crashes.
Key Insights
- 👶 The new Pokemon Go ransomware affects Windows systems and encrypts files, causing significant CPU usage and disk activity.
- 🚚 It can be delivered through flash drives and remains hidden until activated.
- 🥺 Ending the ransomware process does not save encrypted files, and a system reboot leads to crashes and a blue screen of death.
- 👤 Reverse engineering attempts resulted in the system becoming bricked, leaving users without external help.
Transcript
ransomware I choose you that's the thing apparently now on PC so we have a new Pokemon go ransomware which affects Windows systems so I thought I'd take a look at it here's the original file it is only 623 kilobytes in size must be an awfully small Pokemon you might say but when it executes it doesn't leave a very small footprint might be a nice Po... Read More
Questions & Answers
Q: How does the Pokemon Go ransomware infect Windows systems?
The ransomware is typically delivered through flash drives, serving as a popular delivery mechanism. Once executed with admin privileges, it remains hidden and starts encrypting files.
Q: Can ending the ransomware process save encrypted files?
Unfortunately, most files are already encrypted by the time users try to end the task. Ending the process does not reverse the encryption.
Q: What happens upon rebooting the system?
After a system reboot, the desktop becomes unresponsive, eventually crashing and displaying a blue screen of death.
Q: Can the Pokemon Go ransomware be reverse engineered?
While attempts to reverse engineer the ransomware were made, the system ultimately became bricked. Thus, users are left to deal with the ransomware on their own.
Q: Are there any encryption weaknesses in the ransomware?
According to malwarebytes, the ransomware does not have any encryption-related weaknesses. Decrypting files would likely require retrieving the AES 256 password used in the encryption process.
Summary & Key Takeaways
-
A new Pokemon Go ransomware has been discovered, which initially appears as a small file but expands upon execution.
-
The ransomware remains hidden in the system and starts using a significant amount of CPU, encrypting files and causing disk activity to increase.
-
It can also infect flash drives and uses the file extension "stopped locked." Rebooting the system leads to a crashed desktop and a blue screen of death.