PokemonGO now has a ransomware virus counterpart – an executable file with the name PokemonGo.exe and an icon of the Pikachu pokemon. Fans of the latest trend in the gaming world might be tricked to open the file and find their files encrypted. Based on the HiddenTear project, this ransomware will also put the .locked extension to encrypted files as other similar viruses.
Read the full article to see how to remove the ransomware and possibly decrypt your files.
|Short Description||The ransomware encrypts all important files and displays a ransom note, giving out instructions on paying the ransom.|
|Symptoms||The ransomware will encrypt files with and put the .locked extension to each file.|
|Distribution Method||Spam Emails, File Sharing Networks, .Exe Files|
|Detection Tool|| See If Your System Has Been Affected by PokemonGO |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss PokemonGO.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
PokemonGO Ransomware – Infection Spread
PokemonGO ransomware spreads with an executable file named PokemonGo.exe as you can see in the picture on the right. It uses an icon of the pokemon Pikachu, which is emblematic for the world of these “pocket monsters”, that the game is about. Thus, the clever wrapper of the ransomware can trick hundreds if not thousands of people into opening it. The .exe file could be found across spam mail distributing electronic letters with malicious attachments, for instance.
File-sharing services and social media networks might also be used, as well as exploit kits in the future. Be careful with your online activity and avoid suspicious mails, websites, links and files.
PokemonGO Ransomware – A Detailed Look
PokemonGO ransomware is based on the HiddenTear project. It is named after the very popular Pokémon GO video game that became a worldwide phenomenon earlier this summer. The ransom note is written in Arabic. Thus, it is possible that mainly Arabic countries are targeted. In the past, the Arab world had banned all Pokemon games but has embraced the latest Pokemon Go craze. Thus, it is understandable that many people might search for it from Arab speaking countries. That does not exclude the possibility of other people to get their PCs compromised.
PokemonGO ransomware will create a user account named “Hack3r” on a compromised computer as you can see below:
The following key in the Windows registry will be created, in accordance with the user profile:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList “Hack3r” = 0
The following Windows registry key will also be created, which makes the ransomware more persistent and starts it with each loading of the Windows Operating System:
On top of it all, the PokemonGO ransomware makes an Autorun.inf file, which will automatically start the ransomware upon the connection of any removable drive to the computer. This is what is found inside that file:
The ransomware was found in the wild by the malware researcher Michael Gillespie. It is thought that the virus might still be in development or could be tweaked more in the near future, but it looks nasty enough from now.
The PokemonGO ransomware places the .locked file extension on each of the encrypted files. After that process is complete, the file هام جدا.txt is placed on the desktop, containing the ransom instructions. The name of the file is translated as “very important”. The ransomware creates a screensaver with the same text as the ransom message:
The text from that ransom note reads:
(: لقد تم تشفير ملفاتكم, لفك الشفرة فلكسي موبيليس للعنوان التالي firstname.lastname@example.org وشكرا على كرمكم مسبقا
It is in Arabic, but a rough English translation of the ransom note will look like the following:
(: Your files have been encrypted, decoding on Falaksa Mobilis following address email@example.com and thank you in advance for your generosity.
As you can see from the ransom note, it is written in Arabic. Only an email is left as a contact with the cyber criminals. Possibly the price is negotiable, but you shouldn’t be liable to such extortion. Do not pay the criminals, as this will only motivate them and support their illegal actions. No guarantee exists that you will get your files back.
→.asp, .aspx, .csv, .doc, .docx, .txt, .xls, .xlsx, .xml, .htm, .html, .sln, .sql, .mdb, .mht, .odt, .pdf, .rtf, .php, .pptx, .ppt, .psd, .png, .jpg, .gif
All these file extension types are the most widespread ones used for storing the personal information of users. They will be encrypted with the .locked extension as other similar HiddenTear ransomware viruses do. The PokemonGO ransomware utilizes an AES 256-bit algorithm for the encryption.
PokemonGO ransomware is not reported to delete the Shadow Volume Copies from the Windows operating system, but it is a very probable outcome.
Remove PokemonGO Ransomware and Restore .locked Files
If your computer machine got infected with the PokemonGO ransomware, you should have some experience in removing malware. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in the network you use. The recommended action for you is to remove the ransomware effectively by following the step-by-step instructions manual provided down below.