Earlier this week, one Kaspersky Android malware analyst Tatyana Shishkova discovered an Android ransomware masquerading as a mobile version of the Cyberpunk 2077 game. A fake website which was actually disguised to look like Google's Play Store was offering a mobile version of CDPR's latest title, but it turns out that the said version actually installed a ransomware on the victim's Mobile device, thus infecting it in the whole process.

New Android #Ransomware disguised as #Cyberpunk2077 game.
Downloaded from fake website imitating Google Play Store.
Extension: .coderCrypt
Family: CoderWare/BlackKingdom https://t.co/JBudDP6vG1 pic.twitter.com/TdM4SAkFWl

— Tatyana Shishkova (@sh1shk0va) December 16, 2020

This new ransomware has been dubbed as Coderware, and once it infects any mobile device, the contents are then fully encrypted. However, this ransomware uses a “hardcoded key”, which means that a decryptor can be used to recover files without having to pay any demanded ransom fee by the cybercriminals. According to the ransomware instructions, the affected victims have only 10 hours to send $500 worth of bitcoins to the attackers, or else their encrypted file will be permanently deleted. The hardcoded key is ‘21983453453435435738912738921'.

As pointed out by Tatyana Shishkova, this ransomware attack uses the same variant as the BlackKingdom ransomware that was released in early 2020. This ransomware is the same as one discovered by the MalwareHunterTeam in November that was disguised as a Windows Cyberpunk 2077 installer. The Windows variant was actually a python compiled exe that would encrypt the victim's files and then append the .DEMON extension to encrypted file's names. Though, it is not known if the Windows version also uses a hardcoded key at this time.