Ransomware - rensenWare

rensenWare
Aliases
Lyonseonware
Ryunsunware
Touhou
Decryptor Available
Yes
Description

RensenWare is unique in that it requires the victim to play a game to receive the decryption of files. The creator, Kangjun Heo (0x000000FF), initially created it out of boredom and curiosity. The controversy began when he uploaded instructions and the source code to GitHub. Not only that, but he also uploaded the first official version to VirusTotal, allowing researchers to access the sample. However, if threat actors have the source code, they can tweak it to create their own malware variants, which eventually happened. This is another example of ransomware authors posting their source code for educational purposes that has allowed malicious threat actors to get ideas and create their own destruction.

Although, to Heo's credit, he issued an apology and even created several decryptors for the software. The rensenWare payload was written in C# and required users to get "0.2 billion points" (200 million points) in the bullet hell game Touhou Seirensen - Undefined Fantastic Object (Touhou 12) on lunatic mode. Upon execution, the process encrypts files with certain file extensions using AES-256-CBC and then appends the .RENSENWARE extension onto each encrypted file, just as most traditional crypto-ransomware would. However, the ransom demand asks for 0.2 billion points, as stated prior. Once a user achieves the required score, the encryption process will revert.

There are a few problems with the encryption and decryption process. For starters, the encryption algorithm is AES, a symmetric encryption algorithm, which means that the same key is used to encrypt and decrypt files. The AES key is stored in memory and is randomly generated upon execution. If the program were to have its process killed or you restart your system, your files are lost forever. The other main problem is that Touhou 12 isn't free, so the victim will, at minimum, have to pay for the cost of the game. Thankfully, because the author accidentally infected himself one night, he released three decryptors for rensenWare - the original "forcer," an enhanced version of the original, and a decryptor that satisfies the score requirement without having to have the game.

Ransomware Type
Crypto-Ransomware
FOSS
Country of Origin
South Korea
First Seen
Last Seen
Threat Actors
Type
Actor
Individual
Kangjun Heo (0x00000FF)
Extortion Types
Direct Extortion
Gamification
Extortion Amounts
Amount
200 Million Points
Encryption
Type
Symmetric
Files
AES-256-CBC
File Extension
<file name>.RENSENWARE
Ransom Note Name
Rensenware WARNING!
Ransom Note Image
rensenWare-RansomNote-7bf56
Click to enlarge
Samples (SHA-256)
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
Known Victims
Industry Sector Country Extortion Date Amount (USD)
Individual South Korea 200 Million Points
Decryptors
GitHub: @0x00000FF - rensenWare Forcing Tool
Ars Technica: Do you want to play a game? Ransomware asks for high score instead of money
Avast: Rensenware (Touhou Ransomware)
BleepingComputer: RensenWare Will Only Decrypt Files if Victim Scores .2 Billion in TH12 Game
Chosun Media: <Detail Tracking>Last month, there was a domestic ransomware 'Lyonseonware'
GitHub: @0x00000FF - rensenWare
GitHub: @0x00000FF - rensenWare apology
ISARC: [Malware Code Analysis] 'Rensenware' analysis that requires game score
Kotaku: Anime Malware Locks Your Files Unless You Play A Game
Namuwiki: rensenWare
NJCCIC: RensenWare
OpenSea: rensenWare embedded NFT
Polygon: Virus locks out data, unless you can score 200 million in an impossible game
The Verge: New ransomware locks your files behind an anime bullet hell shooter
Twitter | X: @malwrhunterteam - rensenWare
Twitter | X: @TouhouHijackLOL - rensenWare
Wikipedia: Rensenware
Ransomware Tracker