A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service’s in-game Robux currency.
Roblox is an online kids gaming platform where members can create their own games and monetize them by selling Game Passes, which provide in-game items, special access, or enhanced features.
To pay for these Game Passes, members must purchase them using an in-game currency called Robux.
Selling decryptors on Roblox
Today, security researcher MalwareHunterTeam found a new ransomware named ‘WannaFriendMe’ that impersonates the notorious Ryuk Ransomware. However, in reality, it is a variant of the Chaos Ransomware.
In June 2021, a threat actor began selling a Chaos ransomware builder that allowed wannabe criminals to create their very own ransomware infection with customized ransom notes, encrypted file extensions, and other features.
By default, the Chaos builder pretends to be Ryuk, using the .ryuk extension for encrypted files, as shown below.
Files encrypted by the Chaos ransomware variant
What makes the new WannaFriendMe ransomware stand out is that instead of demanding cryptocurrency as a ransom payment, it requires victims to purchase a decryptor from Roblox’s Game Pass store using Robux, as can be read in the ransom note below:
—– YOUR FILES HAVE BEEN ENCRYPTED! —–
Don’t panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter
YOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN BUY THE GAMEPASS ABOVE.
AFTER BUYING THE GAMEPASS, CONTACT [email protected] WITH YOUR USERNAME AND SCREENSHOT OF YOU OWNING THE GAMEPASS. DO NOT DELETE THE GAMEPASS OTHERWISE YOU WILL DISOWN THE GAMEPASS.
When visiting the URL to the Roblox Game Pass store, you can see that the ‘Ryuk Decrypter’ is being sold by a user named ‘iRazormind’ for 1,499 Robux and was last updated on June 5th.
Decryptor sold as a Roblox Game Pass
The problem with Chaos ransomware variants is that they not only encrypt your data but also destroy it in many cases.
While encrypting a device, any file greater than 2MB in size will be overwritten with random data and not encrypted. This means that even if you purchase a decryptor, only files smaller than 2MB can be recovered.
WannaFriendMe source code showing how it destroys files
While it is unclear how this ransomware is distributed or if it has been used in attacks, its destructive nature and its targeting of young gamers could lead to significant damage.
This is not the first time Chaos ransomware variants have targeted gamers.
In October, threat actors targeted Japanese Minecraft players with ‘alt lists’ allegedly containing stolen Minecraft accounts but encrypted devices with the Chaos ransomware variant instead.