PokemonGo Ransomware creates a Hidden unexpected user

Ransomware is currently being perceived as one of the worst threat on the Internet and as we pointed out umpteen number of times no one is completely safe from the Ransomware. Pokemon Go has been one of the most popular games in the recent times and we had even published a guide on how to stay safe while playing Pokemon Go. Well, attackers seem to be capitalizing on the Pokemon craze by creating Ransomware related to Pokemon Go and luring the user to open the malicious file with the help of social engineering tactics.

PokemonGo Ransomware

PokemonGo Ransomware

According to reports, one of the ransomware is called the PokemonGo Ransomware and the second one is called DetoxCrypto. If you are interested in the details download the PokemonGo Ransomware Forensics report.

The analysis further states that the Ransomware is based on educational ransomware called Hidden Tear. Also, the ransomware shows up as hidden tear in the Windows Task Manager.

The tree view analysis shows how pokemongo.exe was the first launched executable which actually creates a 14104.exe file which is stored in the windows startup folder and is meant to trigger the reboot.

As seen in the screenshot above the pokemongo.exe launches a copy of itself called pokemongo.exe and it is this process that encrypts the user’s files. Just moments prior to the actual encryption process pokemongo.exe creates a copy of itself to the root of the secondary drive (E:) and in order to maintain the persistence the file is also added to the Windows registry key thus eventually ending up creating 7550.exe in the Windows Startup folder.

In the next step, the process creates a file in Arabic which contains the ransom payment information. The file doesn’t open automatically and also a new user by the name “hack3r” is created on the machine. Also, it is strange that both the executables are screensavers and both have to be terminated. In the meanwhile, the process Pokemon go continues its quest for potential new files that can be encrypted. That said, we would take this chance to advise everyone to have a backup on the cloud or an external hard drive since you never know you could be the victim.


Posted by with Tags
Mahit Huilgol has been using Windows on PC and Mobile since long. He has been following Microsoft developments from close quarters and loves writing about it.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 9 =