Ryuk Goes Chaotic – Roblox Game Pass Ransomware

Ransomware seems to be taking over these days, targeting victims everywhere. These attacks keep advancing in techniques, and in today’s case, in form. The Ryuk ransomware is definitely formidable, but this time around, it’s not really it. In fact, a Chaos ransomware variant (WannaFriendMe) is impersonating Ryuk, infecting systems, and asking for a weird type of payment.

Chaos has been around for quite some time now, but it usually does its bidding under its own name. Not to mention that this is also a first when it comes to payment, as it’s not asking for cryptocurrency in exchange for decryption.

Instead, it’s using the Roblox gaming platform so that victims can pay via the in-game Robux currency. A lot of questions here: Why impersonate Ryuk? How are they earning Robux? We have everything covered in the following article.

WannaFriendMe Ransomware – Perfect Impersonation, Perfect Ransomware Strike

Cyberattacks, phishing scams, as well as ransomware campaigns, have targeted the entertainment industry a lot in the last couple of months.

Even Spiderman: No Way Home movie got its own phishing scam. Before that, EA suffered a major data breach, and now, Roblox is on WannaFriendMe’s radar.

The scam doesn’t involve Roblox as the lure, but it has a major role to play. Usually, when the attackers deploy their ransomware, they encrypt the users’ data and ask for a ransom in exchange for encryption.

To inform the victim, they use notes with a link to a bank account or Tor URL where they can transfer cryptocurrency.

Well, WannaFriendMe has a different approach this time as the operators are not after cryptocurrencies or real money. Instead, to get the decryptor, the victims should purchase it through Roblox’s official store.

They ask the target to purchase 1700 Robux and subscribe to the Game Pass. You can see the full note in the image below: (Source: MalwareHunter)

Once they purchase the amount of Robux, the victim should subscribe to the premium pass, then buy the decryptor through the official store. It is sold by a user named ‘iRazormind’ for 1,499 Robux and was last updated on June 5th.

Unfortunately, despite having the decryptor, a victim’s data isn’t safe at all. It’s not about the intentions behind Chaos – it’s how the malware itself works.

Chaos variants don’t only encrypt a target’s data but also destroy it in many cases. If a file is bigger than 2MB in size, the malware will overwrite it with random data.

In other words, even if a decryptor is purchased, any file that’s smaller than 2MB will only be recovered. The rest will be destroyed.

WannaFriendMe Ransomware – More Like WannaGiveMe Your Robux

Chaos operators have targeted gamers before, where they attacked those who played Minecraft. When it comes to ransomware, you have to be careful what links to trust, especially through emails that could be phishing ones.

Recently, ransomware is being associated with phishing attacks, so make sure to stay vigilant whenever you receive a shady email.