WannaFriendMe Ransomware Operators Are Selling the Key for the Internal Currency of the Roblox Game

The unusual WannaFriendMe ransomware was discovered by cybersecurity researchers. The malware does not require a ransom in cryptocurrency, but is selling the decryptor on the Roblox gaming platform using the in-game currency Robux.

The well-known information security researcher MalwareHunterTeam was the first to notice the WannaFriendMe malware.

Let me remind you that we also reported that SVCReady Malware Loader Uses Microsoft Office Documents for Attack.

He writes that the ransomware pretends to be the infamous Ryuk ransomware, changing the extensions of encrypted files to .ryuk, but in fact this malware is a variation of the Chaos ransomware.

The fact is that back in June 2021, the author of Chaos began selling his ransomware builder, which allows other criminals to create their own malware by customizing ransom notes, file extensions, and so on. And by default, Chaos Builder pretends to be Ryuk, using the .ryuk extension for encrypted files.

However, this is not what distinguishes WannaFriendMe from other similar threats.

The main feature of this malware is the fact that instead of a cryptocurrency, the malware requires the victim to purchase a decryptor for their data in the Roblox Game Pass store.MalwareHunterTeam told.

The fact is that Roblox users can create their own games and monetize them by selling Game Passes that provide special access, advanced features or in-game items. To pay for such a Game Pass, users need to purchase it using the Robux in-game currency.

In the Roblox Game Pass store, users could indeed find a certain Ryuk Decrypter, which was sold by a user named iRazormind for 1499 Robux. The last update was dated June 5th.

WannaFriendMe and Roblox

Bleeping Computer notes that different versions of Chaos malware share the same problem: they not only encrypt data, but often simply destroy it. So, any file larger than 2 MB is overwritten with random data, and not encrypted. This means that even after purchasing a decryption tool, you will only be able to recover files smaller than 2 MB.

Nevertheless, it is not yet clear how WannaFriendMe is distributed, and whether this ransomware has been used in real attacks.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.