A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends):
Figure 1 - 'this is for you'Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at all, but rather is an attempt at phishing.
The differences are subtle enough that you may just miss it. When you click on the link, you are redirected to a 'Summer Gift Marathon'.
Figure 2 - Fake Steam website
Once you log in to the fake Steam website, your credentials are stolen and will be used to spread more phishing, likely steal your inventory items and so on.
Other phishing sites related to this campaign are:
New ones do pop up from time to time, so stay vigilant.Β
TipsΒ Β
Only log in on the legitimate Steam community website, this being https://steamcommunity.com/. An extra tip is to bookmark the legitimate site, so even if you do get a message like this, you can go straight to your bookmark and search what you need from there.
Β
If someone new tries to add you as a Friend and immediately sends a message like the above, alarm bells should start ringing.
Β
If someone already on your Friends list suddenly sends a random message with an even more random link out of the blue, cue the alarm bells again.Β
Β
If you want to check the website out in a safe manner, then you can use URLscan.io, which will give you a verdict of the website as well as an image preview. In addition, you can use VirusTotal to review a website's reputation.
Β
Note that an 'all clean' does not necessarily mean it is. Caution above all!Β
Β
Follow Steam's Account Security Recommendations to stay safe.
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail: MastersRecovery@protonmail.com and send personal ID KEY: In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li
The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:
Do not rename encrypted files. Do not try decrypt your data using party software, it may cause permanent data loss. Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Spartacus will encrypt files, regardless of extension, in the following folders:
Figure 2 - Target folders to encrypt
Generating the key:
Figure 3 - KeyGenerator
As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.
Encrypted files will get the extension appended as follows: .[MastersRecovery@protonmail.com].SpartacusΒ
For example:
Β Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus
It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:
All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==
Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:
A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:
Figure 4 - Ransom will stay on top and annoy the user