The ransomware that says, “I don’t want money” – play a violent game instead!

Thanks to Simon Porter of SophosLabs for his behind-the-scenes work on this article.

Not all ransomware is made equal.

To be clear, we’re not for a moment suggesting that any form of ransomware is technically, ethically, morally or legally acceptable.

After all, ransomware is guilty of unuauthorised access as soon as it reads your files, and of the more serious crime of unauthorised modification as soon as it overwrites them.

Worse still, most ransomware follows up those offences with the yet more odious crime of demanding money with menaces – what is known on the street as blackmail, extortion, standover, or plain old criminal b*****dry.

But it’s Friday the Thirteenth today, historically the “day of madness” for computer virus writers, so we thought we’d feature a recent ransomware sample with an unusual twist.

This one explicitly and unusually says, “I don’t want money.”

Instead, the PUBG Ransomware has a weirder aim: to get you to play a recently-released online game called PLAYERUNKNOWN’s Battleground, or PUBG for short.

Sophos products proactively detected this malware as Mal/Genasom-A.
The sample used to prepare this article has the SHA256 hash: 3208efe9­6d14f5a6­a2840dae­cbead6b0­f4d73c5a­05192a1a­8eef8b50­bbfb4bc1

PUBG is a game of the “last player standing” sort, a genre based on an ultra-violent, dystopian and unsurprisingly controversial Japanese novel of 1999 (made into a film in 2000) called Battle Royale, in which adolescent schoolchildren are forced to fight to the death under the terms of a government law known as the BR Act.

Edifying stuff, indeed.

Anyway, the malware author wants you to play PUBG, offering to unscramble your files once you’ve clocked up an hour of time in the game.

Your files is encrypred by PUBG Ransomware!
but don't worry! It is not hard to unlock it.
I don't want money!
Just play PUBG 1Hours!

In theory, this means buying a copy of the game (it’s currently £26.99 in the UK) and installing the software, but the ransomware doesn’t make any effort to take a slice of your purchasing pie.

There’s no download link, affiliate code, keylogger, credit card sniffer or other malware mechanism by which the author could sneakily take advantage of your purchase, assuming you didn’t have the game already.

Quite why he chose PUBG, and what he’s hoping to achieve by urging you to play it, is a mystery.

In practice, there’s no need to buy the game at all, because the malware detects that you are “playing” simply by monitoring the list of running apps for a program called TSLGAME.EXE, which is the name of the file you launch to start the PUBG game. (No, we don’t know what TSL stands for.)

So you can rename any handy utility to TSLGAME.EXE, run it, and the malware will assume you have obeyed its instructions to play the game.

The malware shows you a counter so you can keep track of how many seconds you’ve been playing, but instead of waiting for you to clock up 3600 seconds of game time (that’s 60 minutes’ worth of 60 seconds, or one hour), it decrypts your data after just three seconds.

Mostly harmless?

We’re assuming that the author of this malware – we don’t know who they are, but they left the username Ryank inside the compiled code, for what that’s worth – intended this as a rather sleazy and slightly risky joke.

Indeed, at first sight, you might be inclined to dismiss this sort of malware as “mostly harmless”, because it includes a built-in decryptor.

Also, it uses a hard-coded encryption process (AES in CBC mode with the key GBUPRansomware) so that you, or perhaps a technically-inclined friend, could probably knit your own recovery tool if all else failed.

Nevertheless, programs like PUBG Ransomware simply aren’t acceptable: it’s not up to someone else to take any sort of unauthorised risks – no matter how carefully calculated or cautiously programmed – with your data.

For instance, a bug or an unexpected error condition in the encryption or decryption code could have disastrous side-effects, not least because this malware simply ignores most run-time errors, and ploughs on regardless if something goes wrong.

The risk of data corruption caused by badly written and inadequately tested code is obvious.

Add to the equation that this particular badly-written code is acting without authorisation, and comes from an anonymous author who can’t be contacted for support or otherwise held to account if your data goes down the drain…

…and you will realise why malware is still malicious even if it isn’t overtly about money.

What to do?

If you’re a hobbyist coder looking to have some programming fun…

…avoid the temptation to muck about with malware.

Find an online coding community that you can contribute to openly and be proud of taking part in.

There are loads of open source projects that would love to have you if you are willing to play by the rules.

Don’t let yourself get sucked into writing malicious software that you’ll spend the rest of your life hoping no one finds out that you were part of.

Learn more

Ransomware that openly proclaims it’s not interested in money is very rare.

Most ransomware is all about money – your money, paid over to the crooks to get your data back.

Why not read our guide to staying ahead of the cybercriminals?