New “Heroes of the Storm” Ransomware is Based on HiddenTear

Ransomware can come in many different forms, sizes, and shapes. Every now and then, a unique version pops up which attracts some form of attention. RestoLocker is a malware type currently still in development. It is based on the HiddenTear family, which has been making the rounds for some time now. The Heroes of the Storm theme will turn quite a lot of heads, though.

RestoLocker can become a Problematic Malware Type

As is the case with any in-development type of malicious software, not too much is known about it in its current form. At least one ransomware sample has been identified by security researchers already and reveals some interesting features. Perhaps the most noteworthy is how it aims to ride the coattails of popular online game Heroes of the Storm. This entire ransomware variant is themed around this particular game, and it even uses the name to rename encrypted files.

While Heroes of the Storm is a very popular online game – especially in eSports – it has nothing to do with RestoLocker itself. For some reason, the latter’s developer assumed it would be funny to use this brand as a way to add some more color to the lock screen and a ransom note. Not too long ago, we came across a new ransomware version which used the Death Note theme. Criminals are struggling to come up with something new under the hood, so they often resort to using known brands as a way to raise awareness.

RestoLocker currently renames encrypted files to the .HeroesOftheStorm extension. Once again, this has nothing to do with the game or its developers whatsoever. It is possible this malware was created to target specific HoTS players, though, as that would explain a thing or two. This is only speculation at this point, and it is unclear what the objective of this malware is in the long run. It is doubtful this new ransomware will impact the game’s reputation in any significant manner.

Preliminary research shows that RestoLocker is based on the HiddenTear ransomware family. In fact, a few dozen HiddenTear “clones” pop up every single week. This particular version caught our attention due to the Heroes of the Storm references, even though it does not seem to pack anything noteworthy under the hood. That does not mean this malware should be dismissed out of hand, but it is not something most people will give a second look unless they become infected.

It remains unclear how this malware is distributed exactly. Spam email campaigns seem to be the most likely culprit, although it can also be packaged as a drive-by-download on gaming websites. So far, the number of samples remains fairly limited, which indicates the actual distribution of this malware has yet to begin. It will be interesting to see how this software evolves once it passes the development stage. For now, it is impossible to tell if and when that will happen.

While most ransomware types demand a Bitcoin payment, there is no indication RestoLocker will do the same. We have seen some malware types demand payments through gift cards, iTunes codes, and the like. With so many unknowns regarding RestoLocker right now, its future remains uncertain. The references to Heroes of the Storm are quite worrisome, although mostly harmless for the time being.