Researchers at MalwareHunterTeam announced that they have seen a new ransomware variant being distributed that is selling their decryptor on the popular children’s game Roblox using the game’s own currency, Robux. The ransomware is called WannaFriendMe and is impersonating Ryuk ransomware. However, it is actually a version of Chaos ransomware, which by default uses the .ryuk extension when encrypting files. It is unclear how the ransomware is being distributed, but the only way to purchase the decryptor is through the Roblox store according to the ransom note left behind. The problem with Chaos ransomware variants is that they not only encrypt data but also destroy it in many cases. Any file over 2MB will be overwritten with random strings and not decrypted. Even if the victim buys the decryptor, they will not be able to recover any document over 2MB.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased