A PewDiePie fan has taken his admiration of the popular video game commentator a little too far, creating a ransomware designed to increase the YouTube star’s subscriber count.
Fortunately, anti-malware company Emsisoft last week announced a new a decryption tool that restores machines infected by the unusual malware, named “PewCrypt.”
On its website, Emsisoft describes PewCrypt as a Java-based ransomware that AES and RSA to encrypt files, while adding the extension “.PewCrypt”. The creator’s ransom note asks the victim to subscribe to PewDiePie and warns that the malware creator will not issue a decrypter tool unless and until PewDiePie reaches 100 million subscribers.
“Were that not to happen, people would have no means of decrypting their data,” said Emsisoft researcher Michael Gillespie in an email interview with SC Media.
The ransom note also claims that if T-Series beats PewDiePie in total subscribers, “the private key will be deleted and you [sic] files gone forever [sic]”. T-Series is a record company that produces Bollywood music soundtracks and Indi-pop music, and has regularly been in competition with PewDiePie over who has the number-one YouTube channel.
Ultimately, PewCrypt’s creator went back on his threat and released his own version of a decrypter. But he also open-sourced the malware itself, allowing other actors to potentially adopt and modify PewCrypt to use it in the wild. Using two different variations of the username “JustMe,” the ransomware developer posted his work on both Twitter and GitHub.
According to Gillespie, the decrypter tool “JustMe” provided “was a command-line based decrypter that is not very user friendly. Also, the user would have to trust the person who initially infected them to not further infect them with more malware.”
Instead, victims can now use Emsisoft’s decryption tool, which was created by extracting and converting the private key to make a GUI decryptor, a company spokesperson explained. The spokesperson said that Emsisoft is not aware of a “huge number” of PewCrypt victims, “but there are definitely cases out there.”
In an unrelated development, BleepingComputer reported today that Emsisoft released another decryptor for Hacked Ransomware, aka HKCrypt. Discovered by BleepingComputer creator Lawrence Abrams discovered back in 2017, the ransomware displays a fake Windows Update while encrypting victims’ files with the RC4 algorithm and appending the extension “.hacked” to their names.