Syrk ransomware lurking in Fortnite cheat pack

Credit to Author: Leonid Grustniy| Date: Fri, 23 Aug 2019 15:18:41 +0000

Cybercriminals try to capitalize on anything enjoying public favor, including popular games. Malware often pretends to be a pirated copy or mobile version of a game, especially if the latter has not been officially released.

Recently, a ransomware encryptor called Syrk emerged. Passed off as a cheat pack for Fortnite — a game that has built a 250-million-strong user base in two years — Syrk promises players two cheats in one package: aimbot (an autoaiming tool) and WH (aka ESP, a cheat for discovering other players’ locations in the game). But what this package really does is encrypt the victim’s files and demand ransom.

Ransomware posing as a Fortnite aim and WH cheat pack

How Syrk ransomware works

According to researchers from Cyren, Syrk is a basically intact copy of open-source ransomware. Once executed, the software connects to a command-and-control server and disables the following programs:

  • Windows Defender,
  • UAC (the system that requests user permission for administrator actions),
  • Process-monitoring apps that can be used to detect the infection, such as Task Manager, Process Monitor, and Process Hacker.

The cryptor also adds itself to the autoload list, so the user cannot get rid of it just by rebooting the machine. If any USB drives are connected to the computer, Syrk attempts to infect them as well.

The malware then sets about locating and encrypting media files, text documents, spreadsheets and presentations, ZIP and RAR archives, and Photoshop and Microsoft Visual Studio files. It gives the resulting abracadabra the .SYRK extension.

The monitor displays a nonclosable demand for ransom.

The text with the Guy Fawkes mask in the background says that the only way to recover the files is to contact the criminals by e-mail and pay them. The victim is given limited time for that: Syrk will delete encrypted files every two hours, it says — first from the photos folder, then the desktop, and finally the user’s documents.

Recover your files free

The good news is, you don’t have to pay the ransom, even if Syrk has penetrated your computer and encrypted your documents. Its current version actually stores the key needed to decrypt the files right on the infected machine. The key is in the folder C:UsersDefaultAppDataLocalMicrosoft, in a file called -pw+.txt or +dp-.txt.

To recover your files:

  • Copy the key.
  • In the ransom demand window, press Show My ID to open a page showing your ID and invitation to Enter the key to Decrypt your Files.
  • Paste the key into the appropriate field and press Decrypt my Files.

The program will recover the encrypted photos and documents and then create and execute two .exe files, which will clean up what remains of the malware.

There is an alternative way to save your files, although a more difficult one. The truth is, the malware features a decryption component that will recover the documents, should you succeed in extracting and executing it. The infection will have to be deleted manually, though.

Protecting yourself from ransomware

According to the researchers, data deleted by Syrk is likely recoverable, although professional help might be required. Recovering the files using a locally stored key works for now, but the malware creators may later rework their tool to deny users the opportunity to decrypt their files without paying the ransom. As always, the best tactic is to prevent ransomware from harming you.

  • Never download programs from untrusted sources, even if they promise supercool gameplay advantages. Especially if they promise supercool gameplay advantages.
  • Back up your files and store them so they are inaccessible directly from your computer. If you use external HDDs or flash drives, connect them only for as long as it takes to complete backup.
  • Install a reliable protection solution. Kaspersky Internet Security detects Syrk as a malicious object, which means it will never be allowed to reach your files, even if you try downloading or executing it.


https://blog.kaspersky.com/feed/