SpriteCoin ransomware installs malware after paying the ransom

SpriteCoin might be the test version of a new ransomware distribution method

SpriteCoin is a new cyber criminals’ creation to trick computer users into installing ransomware on the computers. This time crooks took advantage of the worldwide madness of the cryptocurrency and willingness to gain virtual money.

Researchers from Fortinet^[1] discovered a fake cryptocurrency wallet called SpriteCoin being advertised on various forums. Criminals promote it as a new virtual currency which is written in JavaScript and promises great profits.

However, people who were interested in this novelty soon discovered that they had downloaded ransomware executable. Thus, instead of gaining cryptocurrency, they were asked to pay 0.3 Monero in order to get back encrypted files.

Security specialists believe that criminals thought of a new possible way to trick users into installing ransomware to their computers. The awareness of spam emails with malware are a little bit growing, so looking for new ways to infected devices is not a surprise.

“Enter your desired wallet password” and get your files encrypted!

Victims who fell for this scam, downloaded and executed SpriteCoin ransomware on their computers from MoneroPayAgent.exe file, received a prompt telling to enter their preferred wallet password. Then they see a regular setup window which informs about downloading a blockchain.

However, in reality, it just runs data encryption. Malware, also known as MoneroPay ransomware,^[2] targets the most popular file types, including Microsoft Office documents, various types of image, multimedia and other records. During the encryption, it also adds the .encrypted file extension to make files inaccessible.

Though, taking victim’s files to hostage is not enough. Malware also transfers Chrome and Firefox credentials to its remote website.

Authors of ransomware asks to pay the ransom in Monero currency

Traditionally, creators of ransomware viruses ask to pay the ransom in Bitcoins.^[3] However, during a couple of months, the popularity of Monero cryptocurrency was growing rapidly.^[4] Therefore, there’s no surprise that cyber criminals became interested in this virtual money too.

When SpriteCoin ransomware encrypts all targeted files, it delivers a ransom note in the browser’s window. The same threatening message is also displayed every time a user tries to open an encoded file.

The ransom note tells that in order to get back access to their files, victims have to transfer 0.3 Monero to the provided address. Compared to other ransomware demands, authors of this cyber threat are not greedy. They ask to pay about 120 USD. However, victims should not pay them.

Researchers note that paying the ransom not only is a waste of money but leads to other malware installation too. Currently, there is not much information about the malicious program identified as W32/Generic!tr except that it might be capable of tracking sensitive information or activating web cameras.^[5]

However, it gives a feeling that developers of ransomware are looking for new ways to swindle the money from computer users by tricking them into installing more harmful programs instead of decryption tool.

Thus, it’s better to create backups and avoid questionable crypto-currency promoted on various forums. No matter how exciting and interesting digital money seems, you should not trust every appeared possibility to mine Monero, Bitcoins or other currency without checking the credibility first.