A phishing campaign targeting Russian-speaking players of the multiplayer game Enlisted has been discovered, with hackers using a counterfeit Enlisted website to distribute fake WannaCry ransomware, according to cybersecurity firm Cyble.
Although the specific group behind the attack has not been identified, researchers believe it may be connected to the ongoing conflict between Russia and Ukraine. Enlisted, a free-to-play game published by Gaijin Entertainment, attracted between 500,000 and a million monthly active players.
The fake Enlisted website hosted a legitimate game installer along with ransomware that imitated the notorious WannaCry cryptoworm, falsely attributed to the North Korean hacking group Lazarus.
Named WannaCry 3.0, the ransomware used the “wncry” file extension to encrypt files, despite not being an authentic variant of WannaCry. The malicious software distributed through Enlisted was a customized version of the open-source ransomware Crypter, designed for Windows systems and coded in Python.
Once installed, WannaCry 3.0 encrypted the victim’s files and displayed a ransom note instructing them to contact the hackers through Telegram to negotiate a decryption fee. The note included a warning about the payment deadline and a button to access the list of encrypted files. Additionally, the ransomware changed the victim’s desktop background to serve as a reminder to follow the instructions.
Cybercriminals often target popular games as a means to reach a larger pool of potential victims, exploiting the willingness of some gamers to download free or pirated versions of games without taking necessary security precautions.
This tactic was previously seen in scams related to The Last of Us, where fraudsters distributed malware disguised as game downloads, capitalizing on the anticipation surrounding the release of the TV series adaptation on HBO.
