× Security
「Windows版Pokémon GO(ポケモンGO)」という存在しない偽アプリが開発され、本物のポケモンGOアプリだと勘違いしてインストールした人がランサムウェアに感染、被害者が端末のデータにアクセスできないようにして身代金を脅迫するという事態が報告されています。ポケモンGOランサムウェアは、これまでに報告されてきた一般的なランサムウェアとは異なる挙動をしているとのこと。PokemonGo Ransomware installs Backdoor Account and Spreads to other Driveshttp://www.BleepingComputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/このランサムウェアは、セキュリティ研究者のMichael Gillespie氏によって発見されたもの。アプリのアイコンはこんな感じです。
Ransomware infected with the victim's device first scans the terminal to find out if the following extension files are included.
そして、これらのファイルをAESで暗号化し、さらに暗号化されたファイルに「.Added an extension called "Locked".Make sure that users cannot access the terminal file.Then, when the work is completed, it will show you how to pay the ransom if you want to access the data of this terminal, so please contact us to "[Email Protected]".Many of the ransomware reported in the past used to encrypt data, delete, and then display the threats.However, it is normal for Pokemon GO's ransomware to display the intimidation content without deleting the data and only encrypts it.Also, when infected, it is different from the other to create a backdoor in the Windows device, which allows the ransomware creator to access the victim's terminal again at a later date.If the ransomware of Pokemon GO is infected with the following feeling, a user account called "HACK3R" will be added to the Administrators Group on the terminal.At this time, the HACK3R account is hidden so that it is invisible from the Windows login screen.
One of the unique points of Pokemon GO's ransomware is to create a network sharing on the victim's computer.However, this network sharing is not used at the time of article creation, and its purpose is unknown.
In addition, Pokemon GO Ransomware will try to copy your own executable to a remover drive."Autorun" is "Autorun.A file called INF is created, and the moment you connect a drive to another computer, another computer is infected with ransomware, trying to expand the infection one after another.Then, when you copy from an external drive to a computer C drive, the Pokemongo ransomware is automatically called when the user tries to log in to the Windows account.The target of Pokemon GO discovered this time is the people in the Arab area from the language used in threatening sentences.The following is a intimidation document, and when translated, "Your file has been encrypted. Contact" [Email Protected] "to encrypt it. Thank you for your generosity in advance.I'll leave. "
And when the victim user logs in to Windows, the following screen saver will be displayed.
The "123VIVALALGERIE" of the AES password means "Algeria Hundred", the language of Arab and French in the program, "Sans Titre" written in the screen saver program is the French "UNTITLED".(Untitled) "is expected to be Ransomware developers as Algerians.In addition, from the features described above, Pokemon GO ransomware is still in the stage of "under development", and it is unknown how much infection will be expanded.In the future, it is necessary to be careful when downloading and installing Pokemon GO -related apps.
この記事のタイトルとURLをコピーする・関連記事大人気の「ポケモンGO(Pokémon GO)」が月額有料制になるというスパムメールが出回る - GIGAZINE世界で初めてポケモンGOが禁止される国が登場 - GIGAZINEポケモンGO開発元・NianticのCEOのTwitterアカウントがハッキングされる - GIGAZINEポケモンGOを外に出ずイスに座ったままプレイ可能になるGPSハッキングムービー - GIGAZINE「ポケモンGO(Pokémon GO)のサーバーをダウンさせる」とハッカー集団が予告、丸1日Pokemon GOがプレイできない可能性も - GIGAZINEポケモンGOがどうやって世界中の至る所にポケモンを出現させているのかがわかる衝撃のムービー - GIGAZINE
・ Related content
- Tweet
in software, security, posted by logq_fa
You Can Read The Machine Translated English Article Here Here Here Here.
![Advantages of "Gravio" that can implement face / person recognition AI with no code [Archive distribution now]](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_6/2022/2/25/98ceaf1a66144152b81298720929e8e7.jpeg)