PokemonGo Ransomware

It did not take long for cyber criminals to use the Pokemon GO hype and milk a few innocent users. Today we have to deal with PokemonGo Ransomware, a malicious computer infection that pretends to be related to the insanely popular mobile game. Since there are still countries where this game has not been released, users in those countries may try to use the unofficial versions of the game and, as a result, they might get exposed to the likes of PokemonGo Ransomware. If that happens, you definitely need to remove the infection from your system as soon as possible.

The main target of this infection is the Arabic-speaking users. As mentioned, the Pokemon GO game has not been released in the Middle East countries, but that does not seem to stop users from trying it out. Unfortunately, this is when PokemonGo Ransomware comes in and encrypts most of your frequently used files. The extensions targeted by this infection are: .txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png. As you can see, this program affects most of the files that might be really important to you.

When your important documents are locked, and you can no longer access them, it is natural to panic, but you should never succumb to fear. In a state of panic, it is easier to submit to the criminals’ demands and pay for the decryption key. This infection drops a ransom message file on your desktop. It is in Arabic, and it says that your files have been encrypted, and so you need to contact the people behind it via me.blackhat20152015@mt2015.com. Of course, if you do contact them, you would receive payment instructions, but, once again, we assure you that paying up is not an option here.

Let us take a closer look at the technical aspects of this infection. PokemonGo Ransomware is a genuine encrypting ransomware application the AES encryption like most of the similar programs do. It also adds the .locked extension to the affected files, so you can notice immediately which files were encrypted by this program. If that were not enough, PokemonGo Ransomware may also attempt to spread to other systems by dropping its executable file to all the removable drives that are plugged into your computer. It will also generate an autorun.inf file that will launch the infection the moment you plug in the corrupted drive into another computer.

Aside from copying itself to external drives, the ransomware will also make a copy of itself in other fixed drives on your computer, and the auto-run file will launch the infection each time you turn on your computer. From this, we can see that PokemonGo Ransomware is extremely intrusive and annoying, and it will try to do everything it can to push you into paying for the decryption key.

But the truth is that the criminals behind this infection do not really need to receive an email from you, to find out more about your system. PokemonGo Ransomware creates a backdoor administrator account on your computer, called Hack3r. Through this account, the malware developers can access your computer, and the account is hidden from you by carrying out specific Registry modifications.

On top of that, the malware does not seem to be completed yet. Our researchers suggest that PokemonGo Ransomware is still in development, so in the near future; this program may emerge as one of the worst members of the Hidden-Tear ransomware family. The reason computer security experts think this program is still being developed is the fact that the infection uses a static AES key 123vivalalgerie. This key uses an IP address intended for private use, so technically, it is impossible to reach it via the Internet. Consequently, it may not be possible to get a decryption key even if you pay the ransom fee.

The best way to go about this situation is to remove PokemonGo Ransomware right now following the manual removal instructions below. You can also terminate the infection with a computer security tool of your choice. Once the ransomware is gone, restore your files from a backup. Needless to say, do not plug in your external hard drive while the infection is still on your PC because then your backup files will get infected, too.

How to Remove PokemonGo Ransomware

1. Delete the executable files with a Pikachu icon.
2. Press Win+R and the Run prompt will open.
3. Type regedit and click OK.
4. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts.
5. Open SpecialAccounts and delete the UserList "Hack3r" = 0 key.
6. Restart your computer.
7. Press Win+R and type Control Panel. Click OK.
8. Go to User Accounts and delete the Hack3r account.
9. Scan your PC with a legitimate antispyware tool.