Skip to main content

Pokemon Go Ransomware Catches, Locks Most PC Files

When a game reaches the level of popularity of Pokemon Go, it's not surprising to find nefarious attackers abusing the trend. New Windows ransomware posing as the popular mobile game tries to steal most of your files and spread to other systems.

Credit: dennizn / Shutterstock

(Image credit: dennizn / Shutterstock)

Hidden inside a PokemonGo.exe file (which features an adorable Pikachu as its icon) is a new version of the constantly evolving Hidden Tear ransomware, which scans your hard drive for commonly used file formats. Why a PC user would think this mobile game is available for the desktop is a question that doesn't seem to concern the attackers.

MORE: Best Antivirus - Top Software for PC, Mac and Android

Once the Pokemon Go ransomware indexes certain types of files (including Microsoft Word, Excel and Powerpoint documents), it encrypts them, gives them the .locked file extension and tells the user to send an email to me.blackhat20152015@mt2015.com for payment instructions.

This news comes from Lawrence Abrams at the BleepingComputer tech advice site, which reported yesterday (Aug. 14) that the Pokemon Go ransomware was discovered by malware-hunter Michael Gillespie. Abrams notes that the version he found appears to be unfinished, as it doesn't contain any IP address to which to send stolen files.

This version of Hidden Tear contains more troublesome features than the average ransomware. On infected machines, it creates an administrator account named Hack3r that it hides from the Windows login screen, to obfuscate how much control the attackers have gained.

Once Hidden Tear takes control of your system, it sets up code that will copy itself onto any connected removable drives, such as USB sticks. It also drops code onto those drives that allow it to run automatically after the drive is plugged into another system.

Hidden Tear can also create a network share, another vulnerability that would typically be used to block router or firewall defenses.

The discovered version of the Pokemon Go-based Hidden Tear appears to be made to target Arabic-speaking users. The file name of the ransomware note it leaves on the desktop is in Arabic (هام جدا.txt, which translates to Very Important.txt), as is the note inside the file. Also, this version of Hidden Tear creates a screensaver that features an excited Pikachu and a second ransom note, also written in Arabic.