Warning over GermanWiper ransomware that erases victim's data but still asks for ransom
Victims have been advised not to pay ransom that that won't help them recover their files
Security researchers in Germany have issued a warning over new ransomware, named GermanWiper, which demands ransom from victims after erasing the data on their machines.
GermanWiper, as the name suggests, wipes out data from the victim ' s system. Although it a ransomware, it doesn ' t encrypt user files, but overwrites content with zeroes and ones. In that way, it permanently destroys the ability to recover the user data with decryption keys or through any other means.
The ransomware was first reported on the BleepingComputer forum on 30th July, where a large number of users complained that some malicious programme was destroying their files but asking them to pay a ransom to get their files back.
Later, Germany ' s Computer Emergency Response Team (CERT) revealed that the threat actors behind the ransomware were trying to spread the infection through malicious email phishing campaigns - specially targeting the HR staff of firms in the name of Job Applications.
The emails being sent have an attached CV (.zip file) as well as a LNK shortcut file. When the receiver opens the zip file, the LNK file is boobytrapped and starts installing the ransomware. After the installation is complete, the programme rewrites the content of target files with zero character. It also appends a new extension, such as .AVco3, .08kJA, .rjzR8, .OQn1B, etc., to those files.
After rewriting the content of all targeted files, the malware opens a ransom note (written in German language) inside the default browser on the infected machine. It tells victims that they have seven days to pay the ransom, although paying the money doesn ' t help users to get their data back.
So far, infection from GermanWiper is limited to the firms operating in Germany or German-speaking countries.
Notably, GermanWiper is not the first ransomware that has been found erasing the data on computer of German-speaking users. In 2017, a ransomware named HSDFSDCrypt (Ordinypt) targeted a large number of German-speaking users and permanently destroyed their files.
That ransomware also used CVs of beautiful women to spread the malware and infect computers.
Researchers are currently also warning users about a new Lord exploit kit that is spreading ransomware via compromised websites. This exploit kit is part of a malvertising chain and uses a compromised site to redirect potential victims to a malicious landing page.
Researchers have also noticed that global ransomware attacks have decreased in recent months, but ransomware-as-a service, cryptojacking and attacks on IoT devices are growing fast.