Researchers at MalwareHunterTeam announced that they have seen a new ransomware variant being distributed that is selling their decryptor on the popular children’s game Roblox using the game’s own currency, Robux. The ransomware is called WannaFriendMe and is impersonating Ryuk ransomware. However, it is actually a version of Chaos ransomware, which by default uses the .ryuk extension when encrypting files. It is unclear how the ransomware is being distributed, but the only way to purchase the decryptor is through the Roblox store according to the ransom note left behind. The problem with Chaos ransomware variants is that they not only encrypt data but also destroy it in many cases. Any file over 2MB will be overwritten with random strings and not decrypted. Even if the victim buys the decryptor, they will not be able to recover any document over 2MB.
Analyst Notes
This is not the first time that Chaos ransomware has targeted gamers, but their variants seem to change in different cases. Standard best practices should always be followed when it comes to protecting against ransomware operators. Proper training should be in place to teach employees how to spot a malicious email and report it immediately. It is also important to have multiple backups, including offline backups, and an incident response plan to get back up and running quickly.
https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/?&web_view=true
