The Krita digital painting application is currently being targeted by ransomware authors. Available on Steam and other platforms, it’s a powerful tool with a very cheap purchase price and great reviews. A perfect bit of bait to start reeling in potential victims, in other words.

How does the scam work?

Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate.

The mails seen so far read as follows:

Hello dear, please give me a moment of your time. Krita team is eager to collaborate with you.

After this follows a generic promo text for the program. They follow this up with:

We would like to consider integrating a 30-45 second ready-made promo into your media space (Facebook, Instagram, Youtube), can we consider that?

Other mails claim that once the registration process is done and dusted, an email address, payment information, and phone number are required. Yes, there’s a bit of data grabbing alongside the malware slinging.

The aim of the game is revenue generation, and this is always going to be an attractive proposition for artists.

The bogus mediabank zip makes its entrance

Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it.

Some folks have reported the contents of the zip as .scr files masquerading as images/videos.

Why an scr file?

Any scam which involves images has a good chance of falling back on scr files. It’s a very old technique. Folks unfamiliar may think it means “screenshot”. This is especially the case where they’re opening up zips expecting to see imagery. Sadly, this isn’t the case. An scr is a screen saver file, and it runs on your system like a program. If it contains bad things, then bad things will be headed your way in an instant.

Tricking visual artists with scr files seems like a particularly cruel trick, whether intentional or not.

What happens next?

Krita previously reported this as ransomware, and as you can see, the mails are still going strong:

They look pretty convincing, which certainly won’t hurt the scammers one bit. If you’re going to trick people who work with visuals, it pays to look as good as possible.

Forward on any dubious messages you receive to the Krita team, and delete the mails afterwards. Don’t trust zip attachments, and give any scr file extensions a wide berth. Showing file extensions is also helpful, both for this and any other potential attacks generally. It appears a lot of the domains used for these mails are down, but it’s easy enough to put up replacements. Be careful out there!