A campaign spreading a new ransomware, dubbed “Syrk”, to victims via fake Fortnite hack tools. The malware masqueraded as a cheat for Fortnite, promising an aimbot to improve aim accuracy and ESP for knowing the location of other players. The researchers hypothesize that the download was likely hosted on a sharing site and sent to victims via Fortnite forums. The analyzed sample being distributed appears to have been built using publicly available code. Specifically, it is based on the source code for the Hidden-Cry ransomware, but with a different extension in use. Upon execution, the ransomware disables Windows Defender and UAC, launches an executable that drops several PowerShell scripts used for the encryption, establishes persistency, and monitors process management tools. Additionally, it creates scheduled routines to begin deleting encrypted files every two hours if the ransom has not been paid. This ransomware propagates via USB drives. It uses Lime USB to identify attached USBs and copy the ransomware executable to any identified drives. An additional application is dropped on the system that allows the victim to enter the decryption key. The researchers discovered that the decryption tool is embedded as a resource in the main malware and the key is contained in both PowerShell scripts and text files dropped on the system.
Malware Hash (MD5/SHA1/SH256)