Sophos Cloud Optix
Thanks to Simon Porter of SophosLabs for his behind-the-scenes work on this article.
Not all ransomware is made equal.
To be clear, we’re not for a moment suggesting that any form of ransomware is technically, ethically, morally or legally acceptable.
After all, ransomware is guilty of unuauthorised access as soon as it reads your files, and of the more serious crime of unauthorised modification as soon as it overwrites them.
Worse still, most ransomware follows up those offences with the yet more odious crime of demanding money with menaces – what is known on the street as blackmail, extortion, standover, or plain old criminal b*****dry.
But it’s Friday the Thirteenth today, historically the “day of madness” for computer virus writers, so we thought we’d feature a recent ransomware sample with an unusual twist.
This one explicitly and unusually says, “I don’t want money.”
Instead, the PUBG Ransomware has a weirder aim: to get you to play a recently-released online game called PLAYERUNKNOWN’s Battleground, or PUBG for short.
Sophos products proactively detected this malware as Mal/Genasom-A.
The sample used to prepare this article has the SHA256 hash: 3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1
PUBG is a game of the “last player standing” sort, a genre based on an ultra-violent, dystopian and unsurprisingly controversial Japanese novel of 1999 (made into a film in 2000) called Battle Royale, in which adolescent schoolchildren are forced to fight to the death under the terms of a government law known as the BR Act.
Edifying stuff, indeed.
Anyway, the malware author wants you to play PUBG, offering to unscramble your files once you’ve clocked up an hour of time in the game.
Your files is encrypred by PUBG Ransomware! but don't worry! It is not hard to unlock it. I don't want money! Just play PUBG 1Hours!
In theory, this means buying a copy of the game (it’s currently £26.99 in the UK) and installing the software, but the ransomware doesn’t make any effort to take a slice of your purchasing pie.
There’s no download link, affiliate code, keylogger, credit card sniffer or other malware mechanism by which the author could sneakily take advantage of your purchase, assuming you didn’t have the game already.
Quite why he chose PUBG, and what he’s hoping to achieve by urging you to play it, is a mystery.
In practice, there’s no need to buy the game at all, because the malware detects that you are “playing” simply by monitoring the list of running apps for a program called TSLGAME.EXE, which is the name of the file you launch to start the PUBG game. (No, we don’t know what TSL stands for.)
So you can rename any handy utility to TSLGAME.EXE, run it, and the malware will assume you have obeyed its instructions to play the game.
The malware shows you a counter so you can keep track of how many seconds you’ve been playing, but instead of waiting for you to clock up 3600 seconds of game time (that’s 60 minutes’ worth of 60 seconds, or one hour), it decrypts your data after just three seconds.
Mostly harmless?
We’re assuming that the author of this malware – we don’t know who they are, but they left the username Ryank inside the compiled code, for what that’s worth – intended this as a rather sleazy and slightly risky joke.
Indeed, at first sight, you might be inclined to dismiss this sort of malware as “mostly harmless”, because it includes a built-in decryptor.
Also, it uses a hard-coded encryption process (AES in CBC mode with the key GBUPRansomware) so that you, or perhaps a technically-inclined friend, could probably knit your own recovery tool if all else failed.
Nevertheless, programs like PUBG Ransomware simply aren’t acceptable: it’s not up to someone else to take any sort of unauthorised risks – no matter how carefully calculated or cautiously programmed – with your data.
For instance, a bug or an unexpected error condition in the encryption or decryption code could have disastrous side-effects, not least because this malware simply ignores most run-time errors, and ploughs on regardless if something goes wrong.
The risk of data corruption caused by badly written and inadequately tested code is obvious.
Add to the equation that this particular badly-written code is acting without authorisation, and comes from an anonymous author who can’t be contacted for support or otherwise held to account if your data goes down the drain…
…and you will realise why malware is still malicious even if it isn’t overtly about money.
What to do?
If you’re a hobbyist coder looking to have some programming fun…
…avoid the temptation to muck about with malware.
Find an online coding community that you can contribute to openly and be proud of taking part in.
There are loads of open source projects that would love to have you if you are willing to play by the rules.
Don’t let yourself get sucked into writing malicious software that you’ll spend the rest of your life hoping no one finds out that you were part of.
Learn more
Ransomware that openly proclaims it’s not interested in money is very rare.
Most ransomware is all about money – your money, paid over to the crooks to get your data back.
Why not read our guide to staying ahead of the cybercriminals?
“ultra violent”
Is there actually any real connection between PUBG and “Battle Royal”, aside the game mode being a battle royal? I haven’t played the game, but from what I have seen I don’t remember any exploding heads or anything along those lines. Is that Battle Royal reference only there to make the connection of “ultra violent” with the game?
It’s “Battle Royale” (note spelling and capital letters), and the connection is that the game explicitly bills itself with the words, “Not just a game, this is Battle Royale”.
In other words, the game defines itself as the archetype of a genre that is named after the novel/film. And this is exactly how the article describes the situation- “PUBG is a game of the ‘last player standing’ sort, a genre based on an ultra-violent, dystopian and unsurprisingly controversial Japanese novel of 1999 (made into a film in 2000) called Battle Royale.”
What more of a connection do you want? Are you suggesting that the game is *not* dystopian and ultra-violent? Are you suggesting that the game is not claiming a definitive metaphorical connection with the novel/film? (If not, then the videos that autoplay when you visit the PUBG website must surely be false advertising, considering the array of weaponry, and fiery explosions depicted for all ages to see, along with that unequivocal strapline about how the game *is* Battle Royale.)
Wouldn’t be too surprised if the author sued.
Battle Royale is less violent than most Schwarzenegger films, it’s the context that makes it shocking.
I’m not sure how being “less violent than a Schwarzenegger film” is of any particular relevance here.
AFAIK, Battle Royale involves a contest in which there are something like 50 murders in 3 days. I think “ultr-aviolence” is a suitable description for that.
(The term ultra-violence alongside the notion of dystopia is an allusion to A Clockwork Orange, BTW.)
It was just a question. Maybe we have a different perception of “ultra-violent”. I didn’t think PUBG was more violent than the average shooter, but I do think Battle Royale (the movie) is. I was just wondering if you had considered the game to be ultra-violent because of it’s connection to Battle Royale or on it’s own merits.
Couple typos in there … “gane” instead of “game” and “dataa” instead of “data”
Thank you. We’ve fixed it now 🙂