Fake Windows and Android installers for the Cyberpunk 2077 game are being distributed by a threat actor that is further installing ransomware called CoderWare.
In order to trick users into downloading and installing the malware, threat actors are distributing them as gamer installers, cheats, and cracks for copyrighted software.
Researchers recently discovered an Android malware pretending to be a mobile version of the Cyberpunk 2077 game. Impersonating the legitimate playstore, the game was being distributed from a fake website.
It was also disclosed by the researcher, that a hardcoded key is utilized by the CoderWare ransomware, which means a decryptor can be made if necessary to recover files for free.
For the encryption, RC4 algorithm with a hardcoded key is used. This means there is a way of getting out of this ransom situation without paying the ransom.
The hardcoded key ‘21983453453435435738912738921’ can be seen below in the ransomware source code.
This ransomware is the same version of the one that was discovered in November that was masquerading as a Windows Cyberpunk 2077 installer. Just like the android version, the ransomware calls itself CoderWare but is a variant of the BlackKingdom.
A python compiled executable that would encrypt victim’s files and append the .DEMON extension to encrypted file’s names was the Windows variant of the ransomware.
At present time, it is not known if the Windows version of the ransomware uses a hardcoded key.
It is evident, that users face huge risks of malware infections when attempting to install copyrighted software for free. These risks become even more significant when users try to install Android apps from third-party app stores.
To read more, please check eScan Blog
