PokemonGo Ransomware

PokemonGo Ransomware targets Windows OS and masquerades as a PokemonGo Windows application. It uses AES encryption and appends .locked to encrypted file names. PokemonGo Ransomware also installs a backdoor, creates an administrator account labeled “Hack3r” on the infected system, and then modifies the registry to hide the newly created account. It then creates network shares and spreads its executable file to other drives. PokemonGo Ransomware creates and places an Autorun.inf file in each drive to ensure that the executable is launched when the victim logs into Windows or when the infected removable drive is inserted into another system. The ransom note and screensaver generated by this variant currently target Arabic-speaking victims but security researchers believe it is still in development by its creator and new languages and features could be added before its release. The ransom payment demand for PokemonGo Ransomware is currently unknown.

  • Bleeping Computer provides more information about PokemonGo Ransomware here.
  • The NJCCIC is not currently aware of any decryption tools available for PokemonGo Ransomware.

One example of the PokemonGo Ransomware variant. Image Source: Bleeping Computer