Summary

Minecraft is a popular game which has been popular for continuously 12 years now, where around 140 million actively players in August 2021. Cybercrime groups are now attempting to exploit this by targeting gamers Windows Devices though promoting fake Minecraft alt list on gaming forums.

“A variant of the Chaos ransomware that appears to target Minecraft gamers in Japan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data. In this report we will take a look at how this new ransomware variant works.” Stated By Shunichi Imano and Fred Gutierrez from FortiGuard Labs

Alternative accounts a.k.a. alt is used by Minecraft players for different purposes like getting avoid from main account be banned, as a cover for an alternative in-game identity and so forth. The threat actors use this “alt list” which contain stolen Minecraft account credentials, but actually is Chaos ransomware executable.

“Even though they are often publicly available through Minecraft online forums, Alt Lists contain stolen accounts that gamers can use to do the things listed above. That’s what the threat actors behind this ransomware attack are using to lure victims to download and open the file.  In this case, the file is an executable, but it uses a text icon to fool potential victims into thinking it is a text file full of compromised usernames and passwords for Minecraft. While we don’t know how this specific fake list is being distributed, it’s a safe guess that the file is being advertised on Minecraft forums for Japanese gamers.” Continues Fortinet.

Four random characters or digits as the extension to encrypted files will be append by Chaos ransomware when encrypting victims. A ransom note “ReadME.txt” will be there where a 2000yen (approx. $17.56) in pre-paid card is demanded. The note is in Japanese language which shows that the target is Japanese Windows Users.

“But files larger than 2,117,152 bytes with specified file extensions are filled with random bytes so the victim will not be able to get those files back even if the ransom is paid. Having this destructive element changes this attack from a typical ransomware attack and is a very troubling component.”

Impact

Potential loss of files and money due to file encryption and destruction and paying ransom

Remediate

Users are should not execute any files they download from the Internet unless they trust the site and have scanned the file.

Reference

• https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction
• https://www.bleepingcomputer.com/news/security/chaos-ransomware-targets-gamers-via-fake-minecraft-alt-lists/