August 10, 2016
The suspected German-speaking hackers have misspelt ransomware as 'ransonware'.
Fighting Europe's Capital of Cyber Crime
A new unusually named ransomware variant has been uncovered by security researchers. The Hitler ransomware – misspelt by hackers as "ransonware" – is the latest of its kind and appears to be in development mode. The ransomware displays a lock screen featuring an image of Hitler and a message that claims that the victims' files have been encrypted.
First discovered by AVG malware analyst Jakub Kroustek, the Hitler ransomware reportedly demands victims to enter a code for a €25 (£21, $27) Vodafone Card, according to Bleeping Computer. The author/authors of the ransomware are suspected to be based out of Germany, especially given the German text found embedded in the ransomware code.
Unlike most other ransomware variants, this malicious software does not ask for victims to make payments in Bitcoins. Instead, it uses an alternative ransom payment approach, accepting codes for gift cards, which is similar to that of TrueCrypter that sought ransom via Amazon gift cards. However, the Hitler malware apparently demands a cash code for a Vodafone Card, which is likely a credit top-up card.
Thomas Pore, director of IT at cyber security firm Plixer told IBTimes UK, "With other indicators of an early product, the lock screen showing the misspelling 'Ransonware' suggests that we will likely see a more mature version popping up shortly.
" It's interesting that this variant does not actually encrypt the files, possibly for detection avoidance. However the approach to delete all of the files upon reboot after initiating an OS crash leaves users few alternatives. This is why users will likely continue to pay the ransom."
Yet another twist in the plot is that instead of encrypting files, the ransomware actually deletes the original extension of files and shows an ominous one-hour countdown clock. After the countdown is completed, the ransomware crashes Windows and the ever-feared blue screen of death is displayed. Alarmingly, upon a system reboot, the ransomware deletes all files stored in the user profile folder.
Based on the text featured alongside the ransomware, the Hitler malware appears to be a test variant. "This is a test rather a Hello World," the text reads and likely refers to the author as "Cool Wet". "I am a Pro for Tools for Windows," the hacker boldly declared.
Ransomware here to stay
"Ransomware, or 'Ransonware' in this case, is not going away any time soon. Why? Because it's very successful. Users love to click on URLs and open attachments," Pore added. "A routine off-site or off-network backup is the only sure-fire way to recover from ransomware. User training to identify phishing attacks is also paramount. Users just love clicking on URLs in email.. Implementing software white-list or restriction policy could potentially stop the malware from running as well."
The author of the ransomware is suspected to be based out of Germany, especially given the German text found embedded in the ransomware code