New ransomware demanded high score on anime-style shooter game not bitcoins

Credit to Author: Darlene Storm| Date: Mon, 10 Apr 2017 09:23:00 -0700

Never underestimate what a person can come up with when he or she is bored as was recently highlighted by the accidental release of a ransomware that required victims to reach an astronomically high score on an anime-style shooter game instead of paying an outrageous ransom in bitcoins.

The Malware Hunter Team was surprised to discover Rensenware; they said the ransomware did not ask “for any money, but to play a game until you reach a score – and it’s not a joke.”

Victims who wanted their files decrypted were required to score over 200 million points in the “lunatic” level of the game TH12 ~ Undefined Fantastic Object.

Found a surprising ransomware today: “rensenWare”.
Not asks for any money, but to play a game until you reach a score – and it’s not a joke. pic.twitter.com/Pu53WZFALA

The ransom demand on the lock screen stated:

Minamitsu “The Captain” Murasa encrypted your precious data like documents, musics, pictures, and some kinda project files. It can’t be recovered without this application because they are encrypted with highly strong encryption algorithm, using random key.

As for how the files can be recovered, the creator of Rensenware wrote: “That’s easy. You just play TH12 ~ Undefined Fantastic Object and score over 0.2 billion in LUNATIC level. This application will detect TH12 process and score automatically. DO NOT TRY CHEATING OR TERMINATE THIS APPLICATION IF YOU DON’T WANT TO BLOW UP THE ENCRYPTION KEY.”

The Malware Hunter Team, however, noted that victims could edit their scores without consequences.

Anime is not my thing and I’ve never played this game, but lunatic difficulty level is presumably like hard mode on steroids; there are scoreboards showing that at least some people have managed it.

The ransomware was created to automatically check memory to make sure a victim reached the required level and score and would then decrypt files; once the score was reached, it also provided a way to manually decrypt files in case any were missed.

A Korea-based undergraduate student, who goes by Tvple Eraser on Twitter, was the mastermind of Rensenware; he did so because he “was bored” and it was meant to be a joke. He told Kotaku that he fell asleep after releasing his joke on GitHub; when he woke up, his malware had spread. “He’s not sure how many were affected, but added that, in the programming process, he’d accidentally infected himself. When asked whether he could score 0.2 billion himself, the creator said, ‘Uh, oh…. Nope’.”

Tvple Eraser then wrote an apology and created a tool which is like a cheat engine for the game as it would write a score high enough to force decryption. He said he was “really sorry” for shocking and annoying people with Rensenware.

He “made it for joke, and just laughing with people who like Touhou Project Series,” and realized he should have removed the encryption/decryption logic before distributing the source code. He took down the source code and provided the decryption tool for victims infected with Rensenware.

So, the creator of rensenWare created a tool which writes the values to memory which are needed for the decryption.
Also wrote an apology… pic.twitter.com/LrapKv5Dm3

On Sunday, he then released a Rensenware protector that is not meant for already-infected machines. He has promised to never again “make any malware or any similar thing.”

When Rensenware was released, it would crash if conditions were not just right such as if it detected an optical drive that couldn’t be encrypted. If conditions were right, then a PC infected with it would require the victim to go download the game if they didn’t have it and play until the specified level and score was reached. You can see the crash, see the game and see the decryption tool work in danooct1’s video.

Perhaps the most worrying aspect of Rensenware is that between the time it was released and then the source code was yanked, it got out there in the interwebs. It may, or may not, inspire a ransomware author to tweak it or otherwise innovate and make it deadlier.

http://www.computerworld.com/category/security/index.rss