'SpriteCoin' ransomware takes advantage of cryptocurrency hype

The new ransomware encrypts files and delivers more malware instead of a decryption key

Bitcoin trundled on for close to a decade before it finally began to spike in value. Other digital currencies, like Ethereum and Monero, also started at a low point before hitting their stride and providing a measurable return. It shouldn't come as a surprise, then, that investors are keen to embrace the hype of new cryptocurrencies - and so are criminals.

Researchers at Fortinet have found a new threat called ‘SpriteCoin', billed as ‘[the] new cryptocurrency written entirely in JavaScript', which is ‘sure to be a profitable coin'.

Potential buyers are urged to download a wallet to access the new currency. This, in the form of an .exe file, is actually hidden ransomware that encrypts the computer's files under the guise of downloading the blockchain that ‘SpriteCoin' is supposedly built on.

It's not only the computer that is locked; the malware also harvests the user's Chrome and Firefox browser credentials, storing them using an embedded SQLite engine. They are then sent to the attackers' Tor website using POST requests.

Victims are somewhat ironically told to pay using the Monero cryptocurrency to have their files unlocked: 0.3 Monero, currently worth about £65.

The malware stresses that users will get their files back if they pay - and of course, you can trust criminals.

Instead of getting their files back, victims who pay instead receive fresh malware (‘W32/Generic!tr'), which could leave them even more at risk. The new programme can activate webcams, harvest certificates and parse images.

Like most ransomware, SpriteCoin is delivered through social engineering techniques, although it differs in using forum links rather than email scams.

Fortinet believes that the ransomware is not about the money, but is focused on testing new payload delivery mechanisms. "This is very similar to when attackers would test to see how effective or fast a worm would spread before really launching it. This could be the same concept," senior security researcher Tony Giandomenico told ZDNet.