Ransomware - rensenWare

Decryptor Available

RensenWare is unique in that it requires the victim to play a game to receive the decryption of files. The creator, Kangjun Heo (0x000000FF), initially created it out of boredom and curiosity. The controversy began when he uploaded instructions and the source code to GitHub. Not only that, but he also uploaded the first official version to VirusTotal, allowing researchers to access the sample. However, if threat actors have the source code, they can tweak it to create their own malware variants, which eventually happened. This is another example of ransomware authors posting their source code for educational purposes that has allowed malicious threat actors to get ideas and create their own destruction.

Although, to Heo's credit, he issued an apology and even created several decryptors for the software. The rensenWare payload was written in C# and required users to get "0.2 billion points" (200 million points) in the bullet hell game Touhou Seirensen - Undefined Fantastic Object (Touhou 12) on lunatic mode. Upon execution, the process encrypts files with certain file extensions using AES-256-CBC and then appends the .RENSENWARE extension onto each encrypted file, just as most traditional crypto-ransomware would. However, the ransom demand asks for 0.2 billion points, as stated prior. Once a user achieves the required score, the encryption process will revert.

There are a few problems with the encryption and decryption process. For starters, the encryption algorithm is AES, a symmetric encryption algorithm, which means that the same key is used to encrypt and decrypt files. The AES key is stored in memory and is randomly generated upon execution. If the program were to have its process killed or you restart your system, your files are lost forever. The other main problem is that Touhou 12 isn't free, so the victim will, at minimum, have to pay for the cost of the game. Thankfully, because the author accidentally infected himself one night, he released three decryptors for rensenWare - the original "forcer," an enhanced version of the original, and a decryptor that satisfies the score requirement without having to have the game.

Ransomware Type
Country of Origin
South Korea
First Seen
Last Seen
Threat Actors
Kangjun Heo (0x00000FF)
Extortion Types
Direct Extortion
Extortion Amounts
200 Million Points
File Extension
<file name>.RENSENWARE
Ransom Note Name
Rensenware WARNING!
Ransom Note Image
Samples (SHA-256)
Known Victims
Industry Sector Country Extortion Date Amount (USD)
Individual South Korea 200 Million Points