Roblox

A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency.

Roblox is an online kids gaming platform where members can create their own games and monetize them by selling Game Passes, which provide in-game items, special access, or enhanced features. 

To pay for these Game Passes, members must purchase them using an in-game currency called Robux.

Selling decryptors on Roblox

Today, security researcher MalwareHunterTeam found a new ransomware named 'WannaFriendMe' that impersonates the notorious Ryuk Ransomware. However, in reality, it is a variant of the Chaos Ransomware.

In June 2021, a threat actor began selling a Chaos ransomware builder that allowed wannabe criminals to create their very own ransomware infection with customized ransom notes, encrypted file extensions, and other features.

By default, the Chaos builder pretends to be Ryuk, using the .ryuk extension for encrypted files, as shown below.

Files encrypted by the Chaos ransomware variant
Files encrypted by the Chaos ransomware variant
Source: BleepingComputer

What makes the new WannaFriendMe ransomware stand out is that instead of demanding cryptocurrency as a ransom payment, it requires victims to purchase a decryptor from Roblox's Game Pass store using Robux, as can be read in the ransom note below:

----- YOUR FILES HAVE BEEN ENCRYPTED! -----

Don't panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter

YOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN BUY THE GAMEPASS ABOVE.

AFTER BUYING THE GAMEPASS, CONTACT xxx@icloud.com WITH YOUR USERNAME AND SCREENSHOT OF YOU OWNING THE GAMEPASS. DO NOT DELETE THE GAMEPASS OTHERWISE YOU WILL DISOWN THE GAMEPASS.

When visiting the URL to the Roblox Game Pass store, you can see that the 'Ryuk Decrypter' is being sold by a user named 'iRazormind' for 1,499 Robux and was last updated on June 5th.

Decryptor sold as a Roblox Game Pass
Decryptor sold as a Roblox Game Pass
Source: BleepingComputer

The problem with Chaos ransomware variants is that they not only encrypt your data but also destroy it in many cases.

While encrypting a device, any file greater than 2MB in size will be overwritten with random data and not encrypted. This means that even if you purchase a decryptor, only files smaller than 2MB can be recovered.

WannaFriendMe source code showing how it destroys files
WannaFriendMe source code showing how it destroys files
Source: BleepingComputer

Roblox told BleepingCompuer that they removed the Game Pass and the account hosting the decryptor.

“Roblox maintains many systems to keep our users safe and secure, and while this case did not relate to any exploit or vulnerability on Roblox, we have taken swift action to remove the Game Pass in question and we have permanently removed the account responsible for a breach of our Terms of Service.” - Roblox.

While it is unclear how this ransomware is distributed or if it has been used in attacks, its destructive nature and its targeting of young gamers could lead to significant damage.

This is not the first time Chaos ransomware variants have targeted gamers.

In October, threat actors targeted Japanese Minecraft players with 'alt lists' allegedly containing stolen Minecraft accounts but encrypted devices with the Chaos ransomware variant instead.

Update 6/13/22: Added Roblox statement.

Related Articles:

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack

Critical Veeam RCE bug now used in Frag ransomware attacks