In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds.

Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.

PUBG Ransomware

This ransom screen states:

PUBG Ransomware Your files, images, musics, documents are Encrypted! Your files is encrypted by PUBG Ransomware! but don't worry! It is not hard to unlock it. I don't want money! Just play PUBG 1Hours! Or Restore is [ s2acxx56a2sae5fjh5k2gb5s2e ]

As stated in the ransom instructions, the first method that can be used to decrypt the files is to simply enter the "s2acxx56a2sae5fjh5k2gb5s2e" code into the program and click the Restore button.

If you want to be fancy, though, the ransomware also checks to see if your playing PlayerUnknown's Battlegrounds by monitoring the running processes for one named "TslGame" as shown below. Even though the ransom note states you need to run it for 1 hour, you only need to run the executable for 3 seconds.

Checking Processes Source

Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim's files. This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files.

Decrypting After Game is Played

This is not the first time a joke ransomware has been created that requires you to play a game before files will be encrypted. In 2017, MalwareHunterTeam also found RensenWare, which required you to play the TH12 Game and score .2 billion points in order to get recover your files.

Update 4/10/18: Updated to clarify how long you need to run the TlsGame program.

IOCs

Hash:

SHA256: 3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1

Targeted Extensions: