{ "id": "e048d0e3-1802-47e4-9f7d-39466d95cb85", "created_at": "2026-04-06T00:19:54.119746Z", "updated_at": "2026-04-10T03:24:30.019675Z", "deleted_at": null, "sha1_hash": "d74f8164fe243946e9b11f381c358d246a6a9513", "title": "Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 632281, "plain_text": "Chaos Ransomware Variant in Fake Minecraft Alt List Brings\r\nDestruction to Japanese Gamers | FortiGuard Labs\r\nBy Shunichi Imano and Fred Gutierrez\r\nPublished: 2021-10-28 · Archived: 2026-04-05 21:39:21 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected Platforms: Windows\r\nImpacted Parties:    Japanese Minecraft Gamers\r\nImpact:                      Potential loss of files and money due to file encryption and destruction and paying ransom\r\nSeverity Level:          Medium\r\nMinecraft is one of the most popular digital games in the world. It was originally released in May 2009 by\r\nSwedish game developer Mojang Studios, which was acquired by Microsoft in 2014 for US $2.5 billion. Initially\r\nreleased for the Windows, Mac, and Linux platforms, the game is now available on 22 platforms including video\r\ngame consoles and mobile devices, including Android and iOS. As its gaming population has steadily grown,\r\nreaching more than 140 million monthly active players in August 2021, Minecraft has never been more popular 12\r\nyears after its initial release. Evidently, cybercriminals cannot pass up the opportunity to target such a large\r\nuserbase. \r\nFortiGuard Labs recently discovered a variant of the Chaos ransomware that appears to target Minecraft gamers in\r\nJapan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If\r\ngamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data. In this report we will\r\ntake a look at how this new ransomware variant works.\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nPage 1 of 5\n\nFigure 1. Growth of Monthly Active Minecraft Players since June 2016 per Statista\r\nRansomware Lure Being Posted to Japanese Minecraft Forums\r\nGamers create “alt” (alternative) accounts within Minecraft for various purposes (both good and bad): they allow\r\nthem to antagonize/troll other players without having their main account banned, they provide cover for an\r\nalternative in-game identity/personality, they help avoid getting their main account banned for using cheats\r\n(gaining an unfair advantage over other gamers), etc. FortiGuard Labs has discovered a variant of Chaos\r\nransomware being hidden in a file pretending to contain a list of “Minecraft Alt” accounts that leads us to believe\r\nthat the effort is to target Minecraft gamers in Japan.\r\nEven though they are often publicly available through Minecraft online forums, Alt Lists contain stolen accounts\r\nthat gamers can use to do the things listed above. That’s what the threat actors behind this ransomware attack are\r\nusing to lure victims to download and open the file. \r\nIn this case, the file is an executable, but it uses a text icon to fool potential victims into thinking it is a text file\r\nfull of compromised usernames and passwords for Minecraft. While we don’t know how this specific fake list is\r\nbeing distributed, it’s a safe guess that the file is being advertised on Minecraft forums for Japanese gamers.\r\nHow the Executable Works\r\nOnce the executable file is opened, the malware searches for files smaller than 2,117,152 bytes  on the\r\ncompromised machine and encrypts them. It then appends those files with four random characters chosen from\r\n“abcdefghijklmnopqrstuvwxyz1234567890” as a file extension. \r\nBut files larger than 2,117,152 bytes with specified file extensions are filled with random bytes so the victim will\r\nnot be able to get those files back even if the ransom is paid. Having this destructive element changes this attack\r\nfrom a typical ransomware attack, and is a very troubling component.\r\nIt is not known why the malware authors have chosen these file size values or why they choose to encrypt some\r\nand destroy others. But it is interesting to note that the Chaos malware was originally classified as a wiper\r\nmalware with the ransomware component added later.\r\nFigure 2. List of file extensions this Chaos variant targets for destruction\r\nOnce the attack takes place, a dropped ReadMe.txt files ask the victim to pay a ransom in either bitcoin or pre-paid cards. The requested amount to decrypt the files is equal to 2,000 yen (approx. US $17), which is dirt cheap\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nPage 2 of 5\n\ncompared to the amounts other ransomware attacks typically demand. The ransom note does not specify which\r\ntype of pre-paid card the attacker wants. All kinds of pre-paid cards (online shopping, gaming, music, mobile\r\nphone charge and online streaming services) are available in convenience stores. Japan has more than 50,000\r\nconvenience store locations selling pre-paid cards and most are open 24/7. \r\nThe ransom note also states that the attacker is available only on Saturdays and apologizes for any inconvenience\r\ncaused. The malware does not include code to identify the language setting of the compromised machine and the\r\nransom note is available in Japanese only. This, combined with the formal language of the ransom note, indicates\r\nthis Chaos ransomware variant specifically targets Japanese Windows users.\r\nFigure 3. Ransom note\r\nThe ransomware also deletes shadow copies from the compromised machine, which prevents the victim from\r\nbeing able to recover any files that had been encrypted, making it doubly destructive. FortiGuard Labs previously\r\nreleased a blog about shadow copy deletion carried out by ransomware. Luckily this Chaos ransomware variant\r\ndoes not have any code to steal data from the compromised machine.\r\nThe malware also changes the desktop wallpaper, perhaps to add more pressure to the victim to pay the ransom.\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nPage 3 of 5\n\nFigure 4. Image of desktop wallpaper replaced by the ransomware\r\nConclusion - Chaos Ransomware Variant\r\nThere is nothing fancy about this Chaos ransomware variant nor its infection vector. However, despite its cheap\r\nransom demand, its ability to destroy data and render it unrecoverable makes it more than a mere prank to annoy\r\nJapanese Minecraft gamers. Ransomware is still ransomware, and in this case, the victim may not be able to get\r\ntheir original files back, with or without making a ransom payment. The best advice is for players to stay off\r\nsuspicious gaming cheat sites and simply enjoy the game the way it was meant to be played.\r\nFortinet Protections\r\nFortiGuard Labs has AV coverage in place for all of the malicious file samples in the report as:\r\nMSIL/Filecoder.AGP!tr.ransom\r\nDue to the ease of disruption, damage to daily operations , potential impact to the reputation of an organization,\r\nand the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all\r\nAV and IPS signatures up to date.\r\nIOCs\r\nSHA2:\r\n1a00c3f9173ee4c6f944e2dcebe44ca71f06455951728af06eba0f945e084907\r\naacce549a756cd942ee79f57625d0902ce79315f4e4bfb1381afa208599d7be5\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nPage 4 of 5\n\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction" ], "report_names": [ "chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d74f8164fe243946e9b11f381c358d246a6a9513.pdf", "text": "https://archive.orkl.eu/d74f8164fe243946e9b11f381c358d246a6a9513.txt", "img": "https://archive.orkl.eu/d74f8164fe243946e9b11f381c358d246a6a9513.jpg" } }