PokemonGo is a mobile phenom unlike anything we’ve ever seen. Players are going out with the augmented reality app on their phones, finding Pokemon all over the real world. It was only a matter of time until some clever hacker decided to leverage Pokemon GO’s huge success to create Pokemon-themed ransomware.
On first glance, the PokemonGo ransomware infection looks like any other generic ransomware infection. It will scan a victim’s drive for files. When it encrypts a file it will use AES encryption and append the .locked extension to the encrypted file. When done a ransom note will appear directing the victim to email firstname.lastname@example.org to get payment instructions.
However, it appears that this developer has put in extra time to include features that are not found in many other ransomware infections. Most ransomware infections encrypt your data, delete itself, and then display a ransom note. The malware developers are there to do one thing; encrypt your files so that you pay the ransom.
he PokemonGo ransomware acts a little differently as it creates a backdoor account in Windows so that the developer can gain access to a victim’s computer at a later date. When installed, the PokemonGo Ransomware will create a user account called Hack3r and adds it to the Administrators group. It then hides this account from being seen on the Windows login screen by configuring the Windows registry. Another feature is that it contains a function that will create a network share on the victim’s computer. Lastly, the ransomware attempts to spread itself by copying the ransomware executable to all removable drives.
In case you have become the victim of this campaign, contact ABM Computers at 510.522.4921 and we will be able to fix your machine.