The unusual WannaFriendMe ransomware was discovered by cybersecurity researchers. The malware does not require a ransom in cryptocurrency, but is selling the decryptor on the Roblox gaming platform using the in-game currency Robux.
The well-known information security researcher MalwareHunterTeam was the first to notice the WannaFriendMe malware.
Let me remind you that we also reported that SVCReady Malware Loader Uses Microsoft Office Documents for Attack.
He writes that the ransomware pretends to be the infamous Ryuk ransomware, changing the extensions of encrypted files to .ryuk, but in fact this malware is a variation of the Chaos ransomware.
The fact is that back in June 2021, the author of Chaos began selling his ransomware builder, which allows other criminals to create their own malware by customizing ransom notes, file extensions, and so on. And by default, Chaos Builder pretends to be Ryuk, using the .ryuk extension for encrypted files.
However, this is not what distinguishes WannaFriendMe from other similar threats.
The fact is that Roblox users can create their own games and monetize them by selling Game Passes that provide special access, advanced features or in-game items. To pay for such a Game Pass, users need to purchase it using the Robux in-game currency.
In the Roblox Game Pass store, users could indeed find a certain Ryuk Decrypter, which was sold by a user named iRazormind for 1499 Robux. The last update was dated June 5th.
Bleeping Computer notes that different versions of Chaos malware share the same problem: they not only encrypt data, but often simply destroy it. So, any file larger than 2 MB is overwritten with random data, and not encrypted. This means that even after purchasing a decryption tool, you will only be able to recover files smaller than 2 MB.
Nevertheless, it is not yet clear how WannaFriendMe is distributed, and whether this ransomware has been used in real attacks.