A Pokemon Go-themed ransomware virus has appeared on Windows computers, tablets and phones. The ransomware is the latest in a series of malicious applications that have popped up in the wake of the global Pokemon Go obsession.
This particular piece of malware is known as POGO Tear and it’s based on open source ransomware code called Hidden Tear. POGO Tear encrypts the files on victims’ computers, changes the extension to “.locked” and then demands a ransom on a screen emblazoned with famed character Pikachu’s picture.
POGO Tear is currently coded to display its ransom message in Arabic only as shown below. The text informs users that their data has been encrypted and instructs them to contact firstname.lastname@example.org to decrypt their files. It also thanks them for their generosity.
What’s interesting about this malware is that it incorporates several features not usually found in other ransomware viruses. POGO Tear creates an administrative user account called Hack3r on the victim’s machine and then hides it from the logon screen so the user can’t tell it’s there.
It also creates a network share on the victim’s computer and copies itself to all available network drives. The ransomware automatically executes when Windows starts.
How to recover from POGO Tear
When your computer is attacked with POGO Tear, it’s not enough to simply remove the infected files and restore from backup. Victims must also remove the backdoor administrator account and ensure that it has been cleaned from all removable drives and connected computers before performing restore operations. Otherwise, the administrative account could allow an attacker to install additional ransomware, or even steal data using more traditional attack methods.
It appears that POGO Tear is still in a beta or development stage. It uses a static decryption key which will most likely be replaced with a random key when it’s fully deployed. Currently, files encrypted by POGO Tear can be decrypted with the following AES encryption key: 123vivalalgerie
POGO Tear has a private IP address of 10.25.0.169 coded into it for command and control, indicating that the developer of it is still testing out command and control functionality since a private IP address cannot be directly referenced by other computers over the internet. This will most likely be replaced with a set of internet-accessible dynamic DNS names once the full version is released. POGO Tear does not exist in any other languages besides Arabic and it currently does not specify a value for the ransom.
If you are infected with POGO Tear, you can decrypt your files with the key mentioned above. But be sure to have adequate backups, endpoint protection and network security controls in place to guard against the future release of the full version. And if you’re interested in playing Pokemon Go, be sure to download the official version from Niantic when visiting your favorite online app store.
For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.
About Eric Vanderburg
Eric Vanderburg is an information security executive, thought leader and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” since he and his cybersecurity team at JurInnov protect companies from cyber threats, investigate data breaches, and provide guidance on safe computing.
Eric is passionate about sharing knowledge of cybersecurity and technology news, insights and best practices. He regularly presents on security topics and maintains a security blog.