Researchers discovered a seemingly new strain of ransomware that, atypically, sells its decryptor on the Roblox Game Pass Store in exchange for in-game Robux currency.
The ransomware dubbed ‘WannaFriendMe’ appears to be impersonating the infamous Ryuk ransomware but is, in fact, a Chaos ransomware derivative, according to security researcher MalwareHunterTeam.
Chaos ransomware has been around since June 2021, when perpetrators started selling its builder, letting cybercrooks design their own flavor of the ransomware. The builder included various tools that let threat actors customize ransom notes and file extensions, among other features. Left unmodified, Chaos mimicked Ryuk by using the same (.ryuk) extension for the files it encrypted.
The distinctive trait of WannaFriendMe ransomware is that it sells its decryptor in the Roblox Game Pass store and asks its victims to buy it with Robux, an in-game currency. Usually, ransomware victims are told to pay the ransom in cryptocurrency. The ransom note left by the threat actors can be read in its entirety below:
—– YOUR FILES HAVE BEEN ENCRYPTED! —–
Don’t panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter
YOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN BUY THE GAMEPASS ABOVE.
AFTER BUYING THE GAMEPASS, CONTACT firstname.lastname@example.org WITH YOUR USERNAME AND SCREENSHOT OF YOU OWNING THE GAMEPASS. DO NOT DELETE THE GAMEPASS OTHERWISE YOU WILL DISOWN THE GAMEPASS.
Despite the perpetrators’ playful take on ransomware, Chaos variants hide a dark secret: they destroy files larger than 2 MBs in the process. During encryption, ransomware strains like WannaFriendMe overwrite files greater than 2 MBs with random data instead of encrypting them. This leaves victims in a tight spot, as they can’t recover files measuring 2 MBs or larger even if they do buy the decryptor.