teslacrypt_00

Games’ growing dependence on the the interconnectedness of the Internet means gamers are constantly having to educate themselves about possible threats, exploits and malicious malware that could impact their gaming. Now there’s a new threat in the form of ransomware that specifically seeks out and encrypts several popular games.

Ransomware is a type of malware that restricts access to your system or data, trying to solicit money or some other payment before you can regain access. Analysed by Bromium Labs, the ransomware – called TeslaCrypt by the security community though it patterns itself after the more famous Cryptolocker – infects user by redirecting them from an exploited WordPress site to another page with a hidden Flash component that activates the payload, installing the malware.

teslacrypt_01

Breakdown of the number of extensions sought by TeslaCrypt, organised by type.

 

At this point, TeslaCrypt begins to encrypt your data by seeking out specific file types associated with particular games, developers and publishers. While TeslaCrypt does target non-game related data, the primary focus is on game-related content, seeking out several popular games and game-related software, the full list of which can be found below:

Single-User Games
Call of Duty
Star Craft 2
Diablo
Fallout 3
Minecraft
Half-Life 2
Dragon Age: Origins
The Elder Scrolls and specifically Skyrim-related files
Star Wars: The Knights Of The Old Republic
WarCraft 3
F.E.A.R
Saint Rows 2
Metro 2033
Assassin’s Creed
S.T.A.L.K.E.R.
Resident Evil 4
Bioshock 2

Online Games
World of Warcraft
Day Z
League of Legends
World of Tanks
Metin2

Company Specific Files
Various EA Sports games
Various Valve games
Various Bethesda games

Gaming Software
Steam

Game Development Software
RPG Maker
Unity3D
Unreal Engine

Once the data is encrypted, it displays a message with a countdown and instructions on how to get back access to your games. It utlises Tor – a popular means of anonymising and encrypting your online communications – to communicate with a domain where payment can be processed. It’s not cheap – TeslaCrypt operators currently demand $500 in Bitcoins in order to regain access to these titles. The encryption method has yet to be cracked, so files that have been encrypted will remain inaccessible for now, and failure to pay within the time limit means your files are essentially gone for good.

teslacrypt_02

Now, to be fair, for most PC players this isn’t likely an issue – given Cloud saves, redownloading from the Steam library and several other gaming services, it’s relatively easy to wipe your drive and start from scratch. The primary issue would be, I imagine, losing any saves or progress not backed up, mods and the non-game related files encrypted as well, which may be harder to replace or restore.

While most PC gamers are relatively savvy, the ransomware likely targets less technically-orientated gamers and younger players may be concerned about getting into trouble or may not know how to reinstall an OS or look for alternative solutions. Similarly, game developers may be able to redownload, say, RPG Maker but not necessarily the development work they’ve done within that engine.

Be sure that you constantly update your operating system and software with the latest security patches, regularly backup ALL your important files and documents, and be careful which sites you browse; it’s dangerous out there. If you want more detailed information on TeslaCrypt, you can read the breakdown of the malware here along with credit to the original forum goers who discovered the exploit in February.

Source: Bromium Labs