New Ransomware Asks User to Play Click Me Game while Encrypting Data

October 21, 2016

2 minute read

The click me game malware is developed by Iranian hacker as its readme file is written in Persian.

Karsten Hahn, a malware analyst at GData, has identified new ransomware that is currently in its developmental phase. According to Hahn’s analysis, the ransomware pretends to be a Click Me Game while its objective is the same, to encrypt the files present on a system.

Also Read: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive

Bleeping Computer reports that as soon as the malware file is executed, a screen is launched that displays a Click Me button. When the user tries to click on it, it starts changing its position so that user has to move the mouse cursor to click. When all this is happening, the malware is silently encrypting files stored on the drive. This means the Click Me game is just added to keep the victim busy while the malware performs its job.

new-ransomware-asks-user-to-play-click-me-game-while-encrypting-data — Screen that launces once the malware is executed

If the user has spent a certain amount of time following the Click Me button or somehow user presses Enter key, the ransom note appears. The note contains an image of Anonymous followed by the message “You Have Been Hacked.” There is also some text in Persian (Farsi) that means that the victim has to pay ransom to get the decryption code for the encrypted files. This image will show you the ransom note and Farsi text that appears on the screen.

new-ransomware-asks-user-to-play-click-me-game-while-encrypting-data-2 — Translation: Alright, my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn’t raise the price.

Currently, it is not possible to comment whether the ransomware is functional enough to be termed as an effective or threatening ransomware or even if it is a viable malware because it is in development. Hahn does state that it can encrypt files but it is also obvious that in its current form the ransomware only encrypts files that are located at D:\ransom-flag.png and doesn’t targets any other files or folders.

Moreover, the ransom note also indicates that the malware is not yet ready since payment related instructions like email address or payment website link aren’t included in the ransom note. The ransomware utilizes the AES encryption technique and adds .hacked extension to the encrypted files’ original titles.

Also Read: CryPy Ransomware Encrypts Each File Individually with a Special Key

The video posted below will show you how this works:

Also Read: ‘No More Ransom’ Anti-Ransomware Portal; Recovers Encrypted Data for Free

As of now, the ransomware isn’t being formally distributed and therefore, we need not feel so concerned at the moment. Let’s hope that it never sees the light of the day and remains hidden.

Top/Featured Image Via: Twitter/Marcelo Rivero