Syrk ransomware attacks cheaters in Fortnite

by Brendan Smith
August 21, 2019

Cyren experts discovered the Syrk cryptographer, built on the basis of the open-source malware Hidden-Cry, whose source codes were published in the public domain at the end of last year. Syrk ransomware targets cheaters at Fortnite.

Malicious software disguises itself as a game hacking utility and promises to give players an advantage in accurate aiming, knowing the exact location of other players.

Reference:
The global gaming phenomenon Fortnite has a huge user base from the worldwide. According to last report, in March it accounted 250 million gamers – and the just-concluded Fortnite World Cup with its $30 million prize pool and an online viewing audience of over two million has certainly only added to its allure.

In fact, instead of the desired aimbot, players download a malware that immediately after launch starts encrypting files on their computers, adding to them the .Syrk extension.

The malware also tries to distinguish between Windows Defender and User Account Control (UAC) on the infected machine, achieve a constant presence in the system and carefully monitors processes that can lead to its termination (task manager, Procmon64 and ProcessHacker).

In addition, the ransomware is trying to infect USB drives connected to the system for further distribution.

Ransomware screen

Ransomware screen

Having finished encryption, the ransomware tries to force its victims to pay the ransom as soon as possible.

“One principle feature of the Hidden-Cry ransomware is that, as seen in the instructions shown, it creates the sense of urgency in the victim by deleting files every two hours”, — reported Cyren specialists.

However, Cyren researchers believe that recovering deleted files and decrypting other data is possible without paying attackers.

Researchers immediately found two possible methods of decrypting the data, since the necessary files are present on the infected computers themselves. One of them is dh35s3h8d69s3b1k.exe, a Hidden-Cry decryption tool built into the original malware. Extracting and executing this file will create the PowerShell script needed to decrypt the information.

Read also: Trojan Saefko compiles a victim’s profile and can spread via USB devices

In addition, the ransomware stores in the system files containing the ID and password necessary for decrypting the files. These are the -i + .txt, -pw + .txt and + dp-.txt files stored in C:\Users\Default\AppData\Local\Microsoft.

Given the size of the global pool of players and the obvious motivation for developing their game, it is not surprising that cybercriminals target Fortnite users. Researchers believe that gamers should wait for new attacks.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending