Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Unfinished Hitler-Ransomware Variant Deletes User Files

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

The ransomware appears to be under development, with an unfinished version leaking online, but might also be the work of less skilled developers, BleepingComputers’ Lawrence Abrams notes. The malware includes some spelling errors within the interface and does not encrypt user files, but can do significant harm to infected systems.

To be more precise, the Hitler-Ransomware (or Hitler-Ransonware, as it is misspelled on the lock screen), removes all extensions from the files under various directories, displays a lock screen featuring Hitler, and starts a one hour countdown. After an hour, the malware would crash the victim’s computer and would delete all the files under %UserProfile% upon reboot.

Discovered by AVG malware analyst Jakub Kroustek, the ransomware’s code reveals that it might have been created by a German developer. German text found in an embedded batch file reveals that the malware sample might indeed be only a test version.

According to researchers, the ransomware’s executable is a batch file that has been converted into an installer executable with some other bundled applications. Upon execution, the ransomware runs a batch file destined to remove all file extensions for the files in the %UserProfile% Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop folders.

Next, the ransomware extracts three files into the %Temp% folder on the victim’s machine, namely chrst.exe, ErOne.vbs, and firefox32.exe. On top of that, the malware copies the firefox32.exe file into the Common Startup folder to ensure that it runs at boot.

The next step is to run the ErOne.vbs script, which displays an alert saying “The file could not be found!” in an attempt to trick the victim into thinking that the program didn’t work correctly. Then, it would execute the chrset.exe file, which is meant to display the lock screen and to start a timer.

When the timer reaches zero, the program terminates the csrss.exe process, causing Windows to crash, which either results in an automatic reboot or keeps the computer in this state until the victim reboots it. When the machine reboots, the firefox32.exe file automatically starts and deletes all of the files under the victim’s %UserProfile% folder.

Advertisement. Scroll to continue reading.

However, researchers warn that, since the analyzed sample was only a test version, the Hitler-Ransomware might receive updates before a final variant is released. To avoid having their files deleted, users are advised to disable the automatic reboot on Windows crash. Saving files in other directories than those in the %UserProfile% folder would also be a good idea.

Related: New Cerber Ransomware Variant Packs Improved Key Generation

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.