{
	"id": "9a5f4955-c61d-496b-a59f-3b11f6dd3299",
	"created_at": "2026-04-06T00:06:08.963891Z",
	"updated_at": "2026-04-10T13:12:52.349138Z",
	"deleted_at": null,
	"sha1_hash": "ffdb005019be61f5f67af09f879538c07dc394bb",
	"title": "Roblox Game Pass store used to sell ransomware decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3252308,
	"plain_text": "Roblox Game Pass store used to sell ransomware decryptor\r\nBy Lawrence Abrams\r\nPublished: 2022-06-09 · Archived: 2026-04-05 21:50:00 UTC\r\nA new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's\r\nin-game Robux currency.\r\nRoblox is an online kids gaming platform where members can create their own games and monetize them by selling Game\r\nPasses, which provide in-game items, special access, or enhanced features. \r\nTo pay for these Game Passes, members must purchase them using an in-game currency called Robux.\r\nhttps://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSelling decryptors on Roblox\r\nToday, security researcher MalwareHunterTeam found a new ransomware named 'WannaFriendMe' that impersonates the\r\nnotorious Ryuk Ransomware. However, in reality, it is a variant of the Chaos Ransomware.\r\nIn June 2021, a threat actor began selling a Chaos ransomware builder that allowed wannabe criminals to create their very\r\nown ransomware infection with customized ransom notes, encrypted file extensions, and other features.\r\nBy default, the Chaos builder pretends to be Ryuk, using the .ryuk extension for encrypted files, as shown below.\r\nFiles encrypted by the Chaos ransomware variant\r\nSource: BleepingComputer\r\nWhat makes the new WannaFriendMe ransomware stand out is that instead of demanding cryptocurrency as a ransom\r\npayment, it requires victims to purchase a decryptor from Roblox's Game Pass store using Robux, as can be read in the\r\nransom note below:\r\n----- YOUR FILES HAVE BEEN ENCRYPTED! -----\r\nDon't panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get\r\nthis decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter\r\nYOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN\r\nBUY THE GAMEPASS ABOVE.\r\nAFTER BUYING THE GAMEPASS, CONTACT xxx@icloud.com WITH YOUR USERNAME AND\r\nSCREENSHOT OF YOU OWNING THE GAMEPASS. DO NOT DELETE THE GAMEPASS OTHERWISE\r\nYOU WILL DISOWN THE GAMEPASS.\r\nWhen visiting the URL to the Roblox Game Pass store, you can see that the 'Ryuk Decrypter' is being sold by a user named\r\n'iRazormind' for 1,499 Robux and was last updated on June 5th.\r\nhttps://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nPage 3 of 5\n\nDecryptor sold as a Roblox Game Pass\r\nSource: BleepingComputer\r\nThe problem with Chaos ransomware variants is that they not only encrypt your data but also destroy it in many cases.\r\nWhile encrypting a device, any file greater than 2MB in size will be overwritten with random data and not encrypted. This\r\nmeans that even if you purchase a decryptor, only files smaller than 2MB can be recovered.\r\nWannaFriendMe source code showing how it destroys files\r\nSource: BleepingComputer\r\nRoblox told BleepingCompuer that they removed the Game Pass and the account hosting the decryptor.\r\n“Roblox maintains many systems to keep our users safe and secure, and while this case did not relate to any\r\nexploit or vulnerability on Roblox, we have taken swift action to remove the Game Pass in question and we have\r\npermanently removed the account responsible for a breach of our Terms of Service.” - Roblox.\r\nWhile it is unclear how this ransomware is distributed or if it has been used in attacks, its destructive nature and its targeting\r\nof young gamers could lead to significant damage.\r\nThis is not the first time Chaos ransomware variants have targeted gamers.\r\nIn October, threat actors targeted Japanese Minecraft players with 'alt lists' allegedly containing stolen Minecraft accounts\r\nbut encrypted devices with the Chaos ransomware variant instead.\r\nUpdate 6/13/22: Added Roblox statement.\r\nhttps://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nhttps://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/"
	],
	"report_names": [
		"roblox-game-pass-store-used-to-sell-ransomware-decryptor"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433968,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ffdb005019be61f5f67af09f879538c07dc394bb.pdf",
		"text": "https://archive.orkl.eu/ffdb005019be61f5f67af09f879538c07dc394bb.txt",
		"img": "https://archive.orkl.eu/ffdb005019be61f5f67af09f879538c07dc394bb.jpg"
	}
}