A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game that is installing a ransomware calling itself CoderWare.
To trick users into installing malware, threat actors commonly distribute them as gamer installers, cheats, and cracks for copyrighted software.
This week, Kaspersky malware analyst Tatyana Shishkova discovered an Android ransomware masquerading as a mobile version of the Cyberpunk 2077 game. The game was being distributed from a fake website impersonating the legitimate Google Play Store.
Shishkova tweeted that the CoderWare ransomware utilizes a hardcoded key, which means a decryptor can be made if necessary to recover files for free.
“RC4 algorithm with hardcoded key (in this example – “21983453453435435738912738921”) is used for encryption. That means that if you got your files encrypted by this #ransomware, it is possible to decrypt them without paying the ransom.”
You can see the hardcoded key ‘21983453453435435738912738921’ in the ransomware source code shown below.
Windows version released in November
This ransomware is the same as one discovered by MalwareHunterTeam in November that was disguised as a Windows Cyberpunk 2077 installer. Like the Android version, this ransomware calls itself CoderWare but is a variant of the BlackKingdom ransomware.
The Windows variant was a python compiled executable that would encrypt a victim’s files and append the .DEMON extension to encrypted file’s names.
It is not known if the Windows version use a hardcoded key at this time.
As you can see, when attempting to install copyrighted software for free, you face huge risks of malware infections. This risk is even more significant when you try to install Android apps from third-party app stores.
To read the original article: