The decryptor for a new ransomware is being sold on the Roblox gaming platform using the service’s in-game Robux currency, which is a unique method. Roblox is an online kids’ gaming platform where users can make their games and monetize them by selling Game Passes, which provide players access to in-game products, unique features, and more. Members must pay for these Game Passes with Robux, a virtual currency used in the game.
MalwareHunterTeam recently discovered a new ransomware called ‘WannaFriendMe’ that imitates the infamous Ryuk Ransomware. However, it is a variation of the Chaos Ransomware. In June 2021, a bad actor started offering a Chaos ransomware builder that let would-be criminals alter ransom notes, encrypted file extensions, and other characteristics to construct their ransomware epidemic.
By default, the Chaos builder acts as Ryuk, encrypting files with the .ryuk extension. Instead of asking for cryptocurrency as a ransom payment, the new WannaFriendMe ransomware instructs victims to purchase a decryptor from Roblox’s Game Pass store using Robux, as detailed in the following ransom note:
—– YOUR FILES HAVE BEEN ENCRYPTED! —–
Don’t panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter
YOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN BUY THE GAMEPASS ABOVE.
AFTER BUYING THE GAMEPASS, CONTACT xxx@icloud.com WITH YOUR USERNAME AND SCREENSHOT OF YOU OWNING THE GAMEPASS. DO NOT DELETE THE GAMEPASS OTHERWISE YOU WILL DISOWN THE GAMEPASS.
According to the Roblox Game Pass store’s URL, the ‘Ryuk Decrypter’ is being offered by a user named ‘iRazormind’ for 1,499 Robux and was last updated on June 5th. The issue with Chaos ransomware versions is that they not only encrypt but also, in many cases, destroy your data.
Any file larger than 2MB will be replaced with random data and not encrypted while encrypting a device. This implies that even if you buy a decryptor, you can only retrieve files less than 2MB. While it’s unknown how this ransomware spreads or whether it’s been employed in cyberattacks, its destructive nature and targeting of young players might do enormous harm.
Chaos ransomware versions have been known to target gamers in the past. Threat actors targeted Japanese Minecraft players in October with ‘alt lists’ containing reportedly stolen Minecraft accounts, which encrypted devices with the Chaos ransomware version.