SpriteCoin Ransomware Spreads via Forums to Encrypt Data and Deliver New Malware

A new type of scam named SpriteCoin has recently hit over 7,000 computer users amazed by the increasing popularity of cryptocurrency which has brought people fortune. The SpriteCoin scam takes advantage of the publicity of Bitcoin, which has attracted masses' attention because of the increasing costs and profits that can be made by those who invested in the currency a few years ago. The SpriteCoin scam is a ransomware infection that attempts to trick victims into downloading a digital wallet which in reality is a data-encrypting program that also initiates the download of a new threat after the user pays for data decryption.

SpriteCoin is an non-existent currency which has been advertised on forums as an easy tool for getting rich quickly. Unfortunately, those who have already fallen victims to this SpriteCoin ransomware do not advantage from the software, but are required to pay a release fee of around $100 in Monero, another cryptocurrency gaining in popularity in the dark market.

When the victim launches the executable of the SpriteCoin software, which is identified as spritecoind.exe, a prompt window asking to enter a password for the digital wallet is displayed. Moreover, the victim is informed that a blockchain is being downloaded. In reality, the SpriteCoin ransomware is taking control over the files stored on the computer, i.e., encrypting files and adding the extension .encrypted to every affected file. The threat targets some 50 file extensions, including .txt, .html, .docx, .xls, .mp4, .zip, .png, and some more. Moreover, the ransomware collects the credentials stored on Chrome and Firefox. It has been found that the SpriteCoin threat uses an embedded SQLite engine for data storage, and transmits the data obtained to a Tor website via POST requests. The infection copies itself to the %APPDATA% directory as MoneroPayAgent.exe and relaunches the copy. Additionally, the threat adds its component to the registry.

When the victim attempts to launch a selected file, the infection generates a ransom note in a browser window. Not surprisingly, the warning has the popular headline "Your files are encrypted" and some typical features of a ransom note, such as the explanation of the payment procedure. Those behind the SpriteCoin demand a 0.3 Monero release fee which, unfortunately, would lead to even more malware.

Paying up and using the decryption key initiates the installation of a new malicious program that is already named W32/Generic!tr, W32/Agent.DDFA!tr, and W32/MoneroPay.F3F6!tr.ransom. The new infection activates the webcam, harvest certificates, and parse images. In order to avoid another payload, it is essential that victims not pay, and this recommendation applies to every single ransomware-related case. Security experts have not fully analyzed the second malware yet, but they firmly claim that similar scam schemes are going to be employed in the future.

The SpriteCoin ransomware is considered to be a test version checking the waters of the market because of its relatively low ransom fee compared to the sums requested by ransomware infections demanding Bitcoin. The Monero currency is a new currency created in 2014, and researchers speculate that in the near future cyber criminals may start shifting from Bitcoin to other new cryptocurrencies because of the high costs of Bitcoin and some other reasons. Small changes in the rate of Bitcoin would significantly alter the price of a Bitcoin, reaching as much as several thousand dollars, whereas a change in Monero would not cause dramatic losses.

It has been observed that instead of providing a ransom fee in Bitcoin, some attackers present victims with a sum in dollars. It is foreseen that the surging cost of Bitcoin will result in no profit for the attackers, because victims will not afford the sum requested. Hence, new alternatives are being searched for. However, cyber schemers use different pricing models. For example, victims in poorer countries are charged less than in richer ones, and the Fatboy ransomware is one of such ransom threats.

Moreover, Monero offers some privacy and security features that keep the user of the currency anonymous and also do not enable anyone to access payment history. Bitcoin has been thought to offer people anonymity by providing them with randomly generated digital wallet names; however, Bitcoin addresses are recorded on the blockchain enabling law enforcement agencies to use analytic tools to track Bitcoin transactions. Monero, by comparison, uses ring signatures and some other techniques to hide the identity of the sender and the recipient.

Security experts encourage businesses to prepare for new ransowmare attackers by backing up their data and creating recovery plans. It is advised to disregard the fact that Windows shadow volume copies can be used because some ransomware threats are delete them to prevent any possible recovery. Moreover, personnel training programs should be run to educate employees about malware preventative measures and online security.


Barth, Bradley. Crooks fabricate SpriteCoin cryptocurrency as lure to download ransomware. January 23, 2018.
FortiGuard SE Team. SpriteCoin: Another New CryptoCurrency... or NOT!. January 22, 2018.
Goud, Naveen. Spritecoin Cryptocurrency is fake and instead spreads Ransomware
Hautala, Laura. Fake cryptocurrency app installs ransomware on your computer. January 23, 2018.
Palmer, Danny. Fake cryptocurrency scam delivers ransomware - and more malware when you pay up. January 23, 2018.
Palmer, Danny. Ransomware's bitcoin problem: How price surge means a headache for crooks. December 12, 2017.