With the popularity of PokemonGo, it was inevitable that a malware developer would create a
ransomware that impersonates it. This is the case with a new Hidden-Tear ransomware discovered by Michael Gillespie that impersonates a PokemonGo application for Windows and targets Arabic victims.
PokemonGo Ransomware Icon
On first glance, the PokemonGo ransomware infection looks like any
other generic ransomware infection. It will scan a victim’s drive for
files that have the following extensions:
.txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png
Source
Well that didnt take long. Any one had this yet?
When installed, the PokemonGo Ransomware will create a user account called Hack3r and adds it to the Administrators group.
Hack3r Account
It then hides this account from being seen on the Windows login screen by configuring the following Windows registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList “Hack3r” = 0