This ransomware makes you sign up for Roblox to get your files back

Roblox on PC
(Image credit: Miguel Lagoa/Shutterstock)

The creators of a new ransomware strain have taken a novel approach when it comes to how victims pay up to regain access to their locked files.

While ransomware gangs normally make victims pay in cryptocurrency to unlock their files after an attack, security researcher MalwareHunterTeam has discovered a new ransomware named “WannaFriendMe” that has them pay in Roblox’s in-game currency Robux instead.

Although WannaFriendMe impersonates the notorious Ryuk ransomware, it’s actually a variant of the Chaos ransomware according to BleepingComputer.

Setting up a crypto wallet to recover files after a ransomware attack can be a daunting process for those who are less technically inclined and signing up, downloading, installing and buying in-game currency in Roblox will likely prove challenging for many as well.

Chaos ransomware builder

Back in June of last year, a cybercriminal began selling a ransomware builder called Chaos on an underground hacking forum. It allows others to create their own ransomware with custom ransom notes, encrypted file extensions and other features.

Since its release, there have been four versions of the Chaos ransomware builder and the latest version (4.0) gives an attacker the ability to add their own filename extensions to encrypted files as well as change the desktop wallpaper on infected machines, according to a blog post from Trend Micro.

The main problem with Chaos ransomware variants is that unlike other ransomware strains, they don’t only encrypt a victim’s data but also destroy it in many cases. This is because files larger than 2MB in size are overwritten with random data instead of being encrypted. As a result, those who do purchase a decryptor for WannaFriendMe or other Chaos ransomware variants will only be able to recover Word documents and other smaller files.

Selling ransomware decryptors on Roblox’s Game Pass store

Ryuk ransomware decrypter

(Image credit: Roblox)

If you do happen to have your PC infected with the WannaFriendMe ransomware, you’ll need to turn to Roblox to get your files back. 

In the ransom note left on victim’s machines, the creators of this new ransomware strain explain how to purchase their decryptor from the Roblox GamePass store, saying:

“Don’t panic, your files are decryptable, but your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass. You must have a Roblox account to buy the gamepass, buy 1700 Robux and then buy the gamepass above.”

Once a victim purchases the GamePass in question, they then need to email the attacker and attach a screenshot of the GamePass in their inventory to gain access to the decryptor. However, like we mentioned above, the decryptor is unable to unlock files larger than 2MB, so it might not even be worth it as 1700 worth of Robux costs $19.99 at the time of writing.

Fortunately, the GamePass used to distribute the WannaFriendMe ransomware decryptor has now been removed from the Roblox store according to a company spokesperson who provided the following statement to Tom's Guide, saying:

“Roblox maintains many systems to keep our users safe and secure, and while this case did not relate to any exploit or vulnerability on Roblox, we have taken swift action to remove the Game Pass in question and we have permanently removed the account responsible for a breach of our Terms of Service.”

As BleepingComputer points out, another Chaos ransomware variant was used back in October of last year to target Minecraft players in Japan using fake alt lists promoted on gaming forums. 

How to prevent falling victim to ransomware, malware and other viruses

Just like with malware and other computer viruses, clicking on strange links or email attachments can lead to a ransomware infection. This is why you should always carefully examine the full URL of all suspicious links before you click on them to make sure there are no spelling errors or other red flags. 

Regularly backing up your data is another important step when it comes to dealing with ransomware. If you already have another copy of your important files stored on an external hard drive or on a cloud backup service, you won’t be tempted to pay cybercriminals to decrypt your files. Likewise, even if you do pay up, there are no guarantees that your files will be unlocked.

Installing antivirus software on your computers can also be a big help as suspicious or known malicious files will be flagged by a company’s antivirus engine so that you know to avoid clicking on them.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.