FortiGuard Labs recently discovered a variant of the Chaos ransomware that appears to target Minecraft gamers in Japan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data. In this report we will take a look at how this new ransomware variant works.
Gamers create “alt” (alternative) accounts within Minecraft for various purposes (both good and bad): they allow them to antagonize/troll other players without having their main account banned, they provide cover for an alternative in-game identity/personality, they help avoid getting their main account banned for using cheats (gaining an unfair advantage over other gamers), etc. FortiGuard Labs has discovered a variant of Chaos ransomware being hidden in a file pretending to contain a list of “Minecraft Alt” accounts that leads us to believe that the effort is to target Minecraft gamers in Japan.
Even though they are often publicly available through Minecraft online forums, Alt Lists contain stolen accounts that gamers can use to do the things listed above. That’s what the threat actors behind this ransomware attack are using to lure victims to download and open the file.