New Crypto-Stealing Ransomware Targets Fortnite Players

A new ransomware masquerades as a Fortnite cheat and asks victims to pay up in crypto.

AccessTimeIconAug 26, 2019 at 7:00 p.m. UTC
Updated Dec 11, 2022 at 7:48 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now
A new piece of  ransomware called Syrk will encrypt files on your hard drive while deleting entire folders if the ransom is not paid. The malware is based on the open source  Hidden-Cry program, an encryptor that appeared online last December and has been the basis for many bits of malware over the past year.

Image via Cyren

Home to some 250 million players, Fortnite users are a prime target for this kind of malware.

“Combining game malware with ransomware was inevitable,” said Chris Morales, head of security analytics at Vectra. “Social engineering through online video games has been going on for some time. It is a large audience to target and an industry that is known to look for shortcuts. Malware posing as a hack tool is novel as it will not be validated by any app store and bypasses the normal security controls. This makes encrypting files using a game hack highly opportunistic and easy to execute.”

Syrk targets Fortnite users by masquerading as a cheating app for the game. The Syrk malware appears as "SydneyFortniteHacks.exe" and when it is run the app begins encrypting files on the user's hard drive and USB drives. If a ransom isn't paid in crypto the app starts deleting one important folder after another, culminating in your Documents folder

“The next step is it will set a timed procedure to try and delete the encrypted files in the directories listed below, deleting the files every two hours in the following order: %userprofile%\Pictures; %userprofile%\Desktop; and %userprofile%\Documents,” the researchers wrote.

Luckily the malware is based on a known attack vector and the software is easy to circumvent. Victims can easily unlock their computers by looking for a few text files on their drives. These files contain the passwords use to shut down the ransomware before it can delete your files, a nice feature that should stop many from having to shell out crypto for a clean computer.

Given the ease with which users can disable the malware, it's not clear how many victims paid the crypto ransom the creators required.

Image via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.