Japanese Minecraft players that downloaded a list of stolen Minecraft accounts quickly discovered it was not what they were expecting as the ‘list’ is, in fact, a ransom file that does a lot of harm to big files on the system, according to Fortinet.
The file wasn’t just any old ransomware but is a “variant of Chaos ransomware” that’s been in development since June and has been popping up as of late. Other variants of the ransomware have been described to infect a system’s hard drives and that means all of them plus it disables Window’s recovery mode as well. The Minecraft ransomware file in question is encrypting. When a user downloads the file, it destroys files that are under a certain condition.
Any files that are over the ransom file’s exact amount which is 2,117,152 bytes or 2.0191 MB will be corrupted and filled with random bytes that permanently destroy them. Meaning the affected users won’t be able to get those files back. It even destroys the Windows backup copies as well, so users can’t restore the system to its original state.
To recover the system, the attacker sets it up in a way that a Readme text file shows up on the PC’s wallpaper in a black background and red text. It asks those infected by the ransomware to pay with bitcoin or a pre-paid card in the amount of 2,000 yen (about $21.77 CAD or $17.53 USD). The prepaid card payment option can be used for online shopping, gaming, music, mobile phones and streaming services.
The kicker to the whole thing, according to Fortinet the ransom note states that the attacker is only “available only on Saturdays and apologizes for any inconvenience caused”. After Minecraft players pay the fee, the only files that are restored are the ones that are smaller than 2 MB.