Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.
The ransomware appears to be under development, with an unfinished version leaking online, but might also be the work of less skilled developers, BleepingComputers’ Lawrence Abrams notes. The malware includes some spelling errors within the interface and does not encrypt user files, but can do significant harm to infected systems.
To be more precise, the Hitler-Ransomware (or Hitler-Ransonware, as it is misspelled on the lock screen), removes all extensions from the files under various directories, displays a lock screen featuring Hitler, and starts a one hour countdown. After an hour, the malware would crash the victim’s computer and would delete all the files under %UserProfile% upon reboot.
Discovered by AVG malware analyst Jakub Kroustek, the ransomware’s code reveals that it might have been created by a German developer. German text found in an embedded batch file reveals that the malware sample might indeed be only a test version.
According to researchers, the ransomware’s executable is a batch file that has been converted into an installer executable with some other bundled applications. Upon execution, the ransomware runs a batch file destined to remove all file extensions for the files in the %UserProfile% Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop folders.
Next, the ransomware extracts three files into the %Temp% folder on the victim’s machine, namely chrst.exe, ErOne.vbs, and firefox32.exe. On top of that, the malware copies the firefox32.exe file into the Common Startup folder to ensure that it runs at boot.
The next step is to run the ErOne.vbs script, which displays an alert saying “The file could not be found!” in an attempt to trick the victim into thinking that the program didn’t work correctly. Then, it would execute the chrset.exe file, which is meant to display the lock screen and to start a timer.
When the timer reaches zero, the program terminates the csrss.exe process, causing Windows to crash, which either results in an automatic reboot or keeps the computer in this state until the victim reboots it. When the machine reboots, the firefox32.exe file automatically starts and deletes all of the files under the victim’s %UserProfile% folder.
However, researchers warn that, since the analyzed sample was only a test version, the Hitler-Ransomware might receive updates before a final variant is released. To avoid having their files deleted, users are advised to disable the automatic reboot on Windows crash. Saving files in other directories than those in the %UserProfile% folder would also be a good idea.
Related: New Cerber Ransomware Variant Packs Improved Key Generation
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
