In recent years there has been a massive explosion in the use of ransomware. Ransomware is a type of malware that holds files ransom on behalf of a hacker until a fee (usually in bitcoins) is paid up. Cybercriminals (whose primary motivation is financial gain) use their techie wiles to lock up computer systems for profit.
Victims range from hotels and hospitals to US senators and police departments. On many occasions, the victim is a regular citizen with a locked-up smartphone, who is told to hand over $200 if they ever want to use their device again. The sums of money demanded from corporations can be much larger, and the advice (from even the highest of authorities) is often to pay up (though I don’t recommend this).
The cybersecurity industry is acutely aware of the growing problem. In fact, cybercriminals are estimated to be making around $1 billion per year using ransomware. In addition, the availability of ransomware to “script kiddies” (inexperienced hackers who leverage pre-coded hacking tools and malware), makes cashing in on the ransomware bandwagon a massive temptation.
Unlikely Ransomware Attack
Normally, financial gains are the primary motivation. However, for the past month, a peculiar ransomware attack has been reported. Like other ransomware attacks, the cyberattack renders people’s devices (PCs and smartphones) unusable until a ransom has been met. Unusually, however, this time victims must play a game if they want to regain access to their encrypted files.
The attack begins with a line reminiscent of the film “Saw” – when unsuspecting victims are presented with the question:
“Want to play a game?”
Following that, a popup from the malware goes on to say: “Minamitsu ‘The Captain’ Murasa encrypted your precious data like documents, musics [sic], pictures, and some kinda project files.”
The ransomware in question is called Rensenware. Once a device has been infected, its owner must achieve a high score on an old school, manga-inspired, vertical shooter game called Touhou 12: Undefined Fantastic Object. Hilariously, however, that isn’t the whole story – to make things even tougher for the malware victim, the high score (of at least 0.2 billion) has to be achieved on “lunatic” mode (super hard).
According to researchers at Enigma Software (ES), the evil strain of ransomware first appeared on Github.com. At that time, a hacker going by the handle 0x00000FF uploaded the malware so that other users could attack their friends as a joke. According to ES, the version that they saw asked victims to get a score of 12 (also on ‘lunatic’ difficulty).
“This is extremely difficult, meaning that most of the victims fail the Rensenware Ransomware test,” ES commented.
A message during a Rensenware attack says:
“DO NO TRY CHEATING OR TERMINATE THIS APPLICATION IF YOU DON’T WANT TO BLOW UP THE ENCRYPTION KEY.”
The good news is that, if you fall victim to this “joke,” you don’t have to complete the high score to regain access to your device’s data.
Once a device is infected with Rensenware, the malware scans the device for a number of different file types: .png, .pdf, .hwp, .frm, .psd, .cs, .c, .cpp, .vb, .bas, .mp3, .wav, .flac, .gif, .doc, .docx, .ppt, .pptx, .js, .avi, .mp4, .zip, .rar, .mkv, .alz, .egg, .7z, .raw, .xls, .xlsx, .jpg, .txt.
Those files are then locked up with strong AES-256 encryption and are saved with a .RENSENWARE extension. Thankfully, however, because this malware was designed as a cruel joke, it doesn’t actually delete Volume Shadow Copies.That means it is possible to do data recovery on the device to get the files back… without the need for playing the game until it has been mastered.
In fact, cheating is pretty much the best way to get the data on the device back. Researchers have reported that it is completely safe to edit the score within the game’s memory to decrypt the files.
In addition, Rensenware’s designer (now believed to be called “Tvple Eraser” and thought to be from Korea) has already released a rensenware_forcer program, which alters the score and rids victims of the malware once and for all. According to a statement made by Trvple Eraser (when the developer released the fix), he or she never envisioned the joke going quite as sour as it has.
More Troubling Variant
Unfortunately, the story doesn’t end there. As is always the case with open source malware, some cruel hackers have taken Rensenware and turned it into a real cyberattack. Sadly, that secondary variant actually asks victims for cash. For anyone who is asked for money instead of a high score, it is recommended that Reimage is used to remove the ransomware. The good news is that Rensenware can be removed with relative ease using that software.
For people who are concerned about Ransomware in general, a reliable anti-malware program is strongly recommended. In addition, it is wise to create a data backup of your files, and to make the effort to regularly update all of your programs. In addition, anybody who falls victim to a ransomware attack can contact The No More Ransom project or ID-Ransomware. Both those websites help people to remove ransomware from an infected device without having to meet cybercriminals’ demands.
Title image credit: Rachata Teyparsit/Shutterstock.com
Image credits: Nicescene/Shutterstock.com, Burhan Bunardi/Shutterstock.com