Cyber Incident Victim: Epic Games
Date:
Aug 2019
Location:
United States of America
Summary
A malicious campaign targeted players of the popular online game by distributing ransomware disguised as a cheat tool promising competitive advantages. The malware, known as Syrk and distributed via filename 'SydneyFortniteHacks.exe', disabled critical security protections like Windows Defender and User Access Control before encrypting user files including documents, images, and videos. Attackers demanded unspecified ransom payments through email contact, threatening permanent file deletion via a two-hour countdown timer. Security researchers identified the ransomware as a variant of Hidden-Cry, noting potential decryption methods without payment due to weaknesses in its implementation, including recoverable file deletion techniques and embedded decryption tools within the malware itself. The attack leveraged players' desire for unfair gameplay advantages to propagate.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, cybersecurity researchers at Cyren identified a ransomware campaign targeting Fortnite players through a malicious executable file disguised as a game cheat tool. The malware, named Syrk and distributed under the filename "SydneyFortniteHacks.exe," posed as an aimbot designed to provide players with competitive advantages in the popular online game. Attackers promoted this fraudulent hack through sharing sites and gaming forums frequented by Fortnite's 250 million registered users. Upon execution, the 12MB file embedded multiple components that initiated a multi-stage attack: it established connections to a command-and-control server, modified Windows Registry settings to disable security features including Windows Defender and User Access Control (UAC), and actively monitored system tools like Task Manager to evade detection. The malware then proceeded to encrypt files across multiple categories—including images, videos, documents, music, and archives—appending a .syrk extension to affected files while leaving system files untouched to maintain operating system functionality.
Following encryption, victims encountered a ransom note demanding payment through an unspecified method and directing communication to an email address provided in the message. The attackers imposed a two-hour countdown timer, threatening sequential deletion of files in the photo, desktop, and document folders if payment wasn't received. Analysis revealed Syrk was a repurposed version of the known Hidden-Cry ransomware, with attackers leveraging its publicly available source code to create a new threat variant. Cyren researchers determined that file recovery without paying ransom was feasible due to flaws in the malware's implementation: the attackers inadvertently included a decrypting tool within the malware's embedded resources, enabling potential decryption via a PowerShell script, and stored the decryption password in a file dropped onto infected systems. The incident highlighted risks associated with third-party gaming cheat tools, though no specific data regarding victim counts, ransom amounts, or geographic impact was disclosed in available reports.