New ransomware forces you to play PUBG video game.

April 20, 2018


The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of PUBG Ransomware [Pubg.RSM] actively spreading in the wild.

PUBG Ransomware encrypts the victims files and force them to play an hour of a game called PlayerUnknown's Battlegrounds to get their files back.

Infection Cycle:

Once the computer is compromised, the Ransomware starts searching for document files with following extensions:

While Ransomware is encrypting files, it will encrypt all files and append the .Pubg extension onto each encrypted file's filename.

After Ransomware encrypts all personal documents it generates a message that the computer has been encrypted and giving you two methods that you can use to decrypt the encrypted files.

The first method that can be used to decrypt the files is to simply enter the following code into the program and click the Restore code button.

For The second method you need to play PlayerUnknown's Battlegrounds for a few seconds.

The Ransomware checks if you're playing PlayerUnknown's Battlegrounds by monitoring the running processes on your machine.

The PUBG Ransomware isn't so advanced at all; running any executable called TslGame.exe will decrypt the files. Even the Ransomware stated that you need to play one hour you only need to run the executable for few seconds.

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: Pubg.RSM (Trojan)