Pokemon GO Players On PC Are Getting Hit By Ransomware

Pokemon GO Players On PC Are Getting Hit By Ransomware

While Pokemon GO, the hugely popular augmented reality game, is officially only available for mobile devices, there are ways to play it on PC (we have a guide for it here). But going down the unofficial route does come with its own risks. If you download the game from a dubious source, you may potentially fall prey to nefarious software created by cybercriminals. One example is a new ransomware that impersonates a Pokemon GO application for Windows. Here’s what you need to know.

Spotted by security researcher Michael Gillespie earlier this month, it is based on the Hidden Tear ransomware and is currently targeting Arabic-speaking users. But it’s worth noting that the ransomware is still in development and has the potential to spread and affect other demographics.[related title=”More Stories on Ransomware” tag=”ransomware” items=”3″]

According to security vendor Trend Micro: “There are numerous indicators that the ransomware is still under development. One of them is that it has a static AES encryption key of ‘123vivalalgerie’. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet.”

Malwarebytes Labs has done a deep analysis of this Pokemon GO ransomware and has detailed the way it infects a user’s PC. Crucially, it creates a backdoor user account in Windows:

” Upon execution PokemonGo creates the following files:
C:Userscurrent userDesktoppk (password)
C:Userscurrent userDesktopهام جدا.txt (Ransom note)
C:Userscurrent userAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup6002.exe (random but 6002.exe for this instance. This resource file is extracted from the main executable, it is saved to the user Startup folder and launched upon restart, contains Pokemon and Arabic note screensaver).
… PokemonGo comes with a backdoor functionality, in which it uses the addUser function to add a user to the administrators group under the user name “Hack3r”. PokemonGo also makes this new user a ‘hidden’ user via the Windows registry ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList’ (value set to ‘0’), which is used to hide the newly added “Hack3r” account on the welcome/login screen.”

Malwarebytes noted that the ransomware does have a few clever tricks up its sleeves:

“We already mentioned one of the clever tricks PokemonGo has of creating the hidden user “Hack3r” but it also has some more new tricks. Earlier this year we saw zCrypt ransomware identifying and copying itself to connected removable drives and attempting to use an Autorun.inf file to populate and infect new victims. Using this method of populating and infecting new victims, via the Populate function, PokemonGo would be able to locate connected removable drives and drop both a copy of itself as well as an Autorun.inf file. The purpose of dropping the autorun file is so the malware can be executed by the AutoRun and AutoPlay components of Microsoft Windows, which in turn means that the malware can be launched from a USB or CD upon being inserted into a new target system. (although noted in the Populate function this was not seen during analysis).”

You can find read through the analysis here.

As always, we’d recommend regularly backing up your data so that even if you do get hit by ransomware, at least you won’t lose all of your precious files. Also, steer clear of suspicious websites when you’re downloading files on the internet. Just exercise common sense.

This story originally appeared on Lifehacker


  • Sorry, but doesn’t that guide allow users to wilfully violate the game’s T&Cs anyway?

    Feel bad for anybody unlucky to be attacked like this, but it’s like a honeypot (full of pokemon hahah).

    Now, about that cracked key generator guide I’ve been wanting…..

    • Sorry, but doesn’t that guide allow users to
      wilfully violate the game’s T&Cs anyway?

  • Promoting a guide that actively violates the ToS for the game is a bit wrong….

    As for ransomware on people who do this, good. Don’t cheat and you won’t get hit.

  • Isn’t the point to motivate people into exercise? Kinda hard to lug a PC around. Unless you’re hard core Ash Ketchum/fitness freak I guess…

    • I’d want to make sure his heart is okay, 20 years of having a fat electric rodent sitting on your left shoulder can’t be healthy.

      • Ash should be wearing some type of tin-foil headpiece. Doesn’t he know that Electric Rodent EMP causes cancer!

  • One thing I’ve learned throughout the years is if you are going to download software that allows you to do something unofficial then you better be 100% certain about the software otherwise you get what you deserve if a trojan app suddenly spews forth an army of Greeks.

    • God damned Greeks, locking up my machine and holding it for ransom.

      But jokes on them! They’re trapped inside a VM! MWAHAHA!

  • I would pay money to see an internet mob track down someone who sends out ransom ware and mal ware and beat the ever loving shit out of them, post the video to the web. Repeat.

Show more comments

Comments are closed.

Log in to comment on this story!