Ransomware ‘Chaos’ Targets Japanese Minecraft Gamers Using Fake Alt Account List

The Chaos Ransomware group has been found to be encrypting users’ Windows devices using fake Minecraft Alt account lists advertised on gaming forums.

https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft- alt-list-brings-destruction

FortiGuard Labs has discovered a variant of the “Chaos” ransomware that appears to target Minecraft gamers in Japan.

This variant not only encrypts certain files, but also destroys other files so that they cannot be recovered.

If gamers fall victim to this attack, they may lose their data even if they choose to pay the ransom.

Minecraft is a hugely popular sandbox video game that is currently played by over 140 million people and is a top-selling title in Japan.

Attack in the guise of the text file “Alt Account List”

According to FortiGuard researchers, a variant of the recently discovered ransomware Chaos is being tentatively distributed in Japan, encrypting Minecraft players’ files and demanding a ransom.

The lure used by the threat group is the “Alt Account List” text file, which allegedly contains the credentials of stolen Minecraft accounts, but is actually an executable of the Chaos ransomware.

Minecraft players who want to troll other players without being banned from using their accounts use the “Alt Accounts” list to find and use stolen accounts that can be used for bannable offenses.

Because of its popularity, the Alt account list is always in demand and is commonly shared for free or by automatic account generators that supply “spare” accounts to the community.

Chaos ransomware adds four random letters or numbers as the extension of the encrypted file when it encrypts the victim.

The ransomware also creates a ransom note named “ReadMe.txt” and demands a prepaid card for 2,000 yen (about $17.56).

This variant of Chaos Ransomware is configured to search infected systems for 2ΜΒ or less different file types and encrypt them.

Files downloaded from the Internet should be treated with suspicion and not executed unless the site is trusted and has been scanned by a tool such as VirusTotal.

Leave a Reply

Your email address will not be published.