Nasty Ransomware Holds PC Games Hostage

Senior editor, security and privacy
Updated

This Elder Scrolls boss won't stand a chance against TeslaCrypt. Credit: Bethesda SoftworksThis Elder Scrolls boss won't stand a chance against TeslaCrypt. Credit: Bethesda Softworks

A new strain of encrypting ransomware is forcing PC gamers to face a real-life alien invader that could permanently lose their saves.

TeslaCrypt gets into computers through compromised websites and locks up 185 different kinds of files, including data related to Call of Duty, World of Warcraft, BioShock, Assassin's Creed, StarCraft, Diablo, the Elder Scrolls, League of Legends, the Steam game-distribution software and the Unity and Unreal Engine graphics engines, among others.

Victims are asked to pay up $500 in Bitcoin or $1,000 in PayPal My Cash cards, the latter of which entails more exposure risk for the criminals behind this scheme.

MORE: Best Antivirus Software and Apps

Breaching the perimeter

The malware attacks Internet Explorer and Opera Web browsers that land on a compromised WordPress-based website, said Vadim Kotov of Cupertino, California-based enterprise-security firm Bromium in a report yesterday (March 12) titled "Achievement Locked: New Crypto-Ransomware Pwns Video Gamers." (The report didn't name the compromised site, but said its operator had been notified.)

A Feb. 27 post on the Bleeping Computer website, which dubbed the malware TeslaCrypt, gave credit for the discovery of the ransomware to Fabian Wosar of Austrian computer-security firm Emsisoft.

Bromium noted that a malicious Adobe Flash Player movie on the compromised site leads to a malicious website, then to another malicious website, and finally to the Angler exploit kit, a bundle of malware that launches one attack after another at visiting Web browsers in the hope that one succeeds.

Angler performs two checks: one to see whether the visiting browser is running on a virtual machine (a software "computer" within a computer often used by antivirus researchers), the other to detect certain antivirus products running on the visiting browser's computer.

If it finds nothing, then Angler launches attacks on a recent Adobe Flash Player flaw and an older Internet Explorer flaw. (The former was patched by Adobe in January, the latter by Microsoft in 2013, but plenty of people never update their software.)

Insider threat

If Angler successfully puts TeslaCrypt on the visiting machine, the ransomware methodically encrypts each instance of 185 different kinds of files, Bromium said, including image, office, movie and compressed files, plus the default iTunes music format file-extention .m4a, as well as gaming files. (MP3 files were not on the list.) Bleeping Computer said once encrypted, files would bear the extension ".ecc."

"Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook)," noted the Bromium report, "but surely most of them have a Steam account with a few games and an iTunes account full of music."

Even worse, said Bleeping Computer, TeslaCrypt then deletes all Windows restore points from the computer, making it impossible for the user to turn back the clock to regain access to encrypted files. The only way to regain access is to restore files from an uninfected backup drive — or to pay the ransom.

How to avoid pwnage

Fortunately, TeslaCrypt infection can be prevented by fully patching Microsoft and Adobe software. Robust antivirus software (the kind you pay for) should also be able to detect the Angler exploit kit's presence on websites.

But those steps won't prevent infection from other kinds of ransomware, some strains of which may use zero-day exploits or other forms of attack against which there is little defense.

In general, recommended Kotov, "keep your files backed on an external hard drive and keep this hard drive unplugged when you go online."

"Be also careful with your DropBox (or other cloud services)," he added. "If you have folders synchronized with an online storage [service], malware will get to them, too."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.