Wednesday, September 4, 2019

The Syrk ransomware

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn't provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It's possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it's likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What's surprising is that the ransomware creates the file with the password right on the victim's computer. It even includes a Delete.exe that removes all traces of itself from the victim's computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it's target is particularly susceptible to such machinations.