Did you get hacked by the new Fortnite ransomware? This is how you fix it

22 Aug 2019

Image: © ohishiftl/Stock.adobe.com

Researchers at cloud security specialist Cyren have uncovered a ransomware that masquerades as an aimbot cheat tool to give players an edge.

Fortnite is an online video game and veritable internet phenomenon, boasting some 250m users as of March 2019. The recently concluded Fortnite World Cup was viewed by more than 2m people, with a prize pool of $30m and a 16-year-old taking home the $3m top prize.

Therefore it was likely only a matter of time before the game came within the crosshairs of cybercriminals. Research published by cloud security specialist Cyren has discovered a new ransomware, named Syrk, which masquerades as a cheat tool that promises to help players aim more accurately, also known as an aimbot.

Once installed, however, the aimbot reveals itself to be malicious ransomware that begins to encrypt all of a user’s files. The ransomware workers by using a Windows registry tweak to disable Windows Defender and User Access Control.

A lurid green timer comes up, counting down from two hours and saying that all of a user’s files will be deleted when the clock runs down. The threat actor explains in a message that victims can stop the deletion process by paying to receive a password.

This is not the first time hackers have taken aim at Fortnite users. Previously, reports emerged of a malware, entitled ‘Baldr’, which was disseminated via YouTube and purported to be cheating software but stole the sensitive account details of users.

There is a fix for victims

Even if you do get infected, you aren’t entirely powerless. The research team says it believes it is possible for victims to recover deleted files due to the “simple method used to delete the files”.

The Syrk ransomware is built upon Hidden-Cry, which is well-documented ransomware. The code for it is readily available on GitHub, which is part of what makes it an easier threat to remedy.

The research also notes that the files needed to decrypt the encrypted files can be found within the infected machine, as the tool is embedded in the main malware. “Since the key is already known, it can be used to create a PowerShell script based on the shared source of the Hidden-Cry decrypter,” it said.

Researchers have also pointed out that the main malware drops the file where you can find the password to stop the process. The team at Cyren has outlined the steps you can take to execute either of these fixes.

Of course, the easiest way to avoid falling victim to such a hack is to play fair and avoid downloading cheat tools entirely.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com