PokemonGo Ransomware installs Backdoor Account and Spreads to other Drives

With the popularity of PokemonGo, it was inevitable that a malware developer would create a
ransomware that impersonates it. This is the case with a new Hidden-Tear ransomware discovered by Michael Gillespie that impersonates a PokemonGo application for Windows and targets Arabic victims.

PokemonGo Ransomware Icon

On first glance, the PokemonGo ransomware infection looks like any
other generic ransomware infection. It will scan a victim's drive for
files that have the following extensions:

.txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png


Well that didnt take long. Any one had this yet?

When installed, the PokemonGo Ransomware will create a user account called Hack3r and adds it to the Administrators group.

Hack3r Account

It then hides this account from being seen on the Windows login screen by configuring the following Windows registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList "Hack3r" = 0

What idiot tries to install Pokémon go on windows, that completely defeats the point of the GO part.

Also before it was released in Europe it was pretty dangerous to get as people were uploading malware APKs or even the legit Pokémon Go app but with added shitbaggery. And these actually targeted mobile devices. Much more effective than windows.

1 Like

The people with Windows phones.....