Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Unfinished Hitler-Ransomware Variant Deletes User Files

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

The ransomware appears to be under development, with an unfinished version leaking online, but might also be the work of less skilled developers, BleepingComputers’ Lawrence Abrams notes. The malware includes some spelling errors within the interface and does not encrypt user files, but can do significant harm to infected systems.

To be more precise, the Hitler-Ransomware (or Hitler-Ransonware, as it is misspelled on the lock screen), removes all extensions from the files under various directories, displays a lock screen featuring Hitler, and starts a one hour countdown. After an hour, the malware would crash the victim’s computer and would delete all the files under %UserProfile% upon reboot.

Discovered by AVG malware analyst Jakub Kroustek, the ransomware’s code reveals that it might have been created by a German developer. German text found in an embedded batch file reveals that the malware sample might indeed be only a test version.

According to researchers, the ransomware’s executable is a batch file that has been converted into an installer executable with some other bundled applications. Upon execution, the ransomware runs a batch file destined to remove all file extensions for the files in the %UserProfile% Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop folders.

Next, the ransomware extracts three files into the %Temp% folder on the victim’s machine, namely chrst.exe, ErOne.vbs, and firefox32.exe. On top of that, the malware copies the firefox32.exe file into the Common Startup folder to ensure that it runs at boot.

The next step is to run the ErOne.vbs script, which displays an alert saying “The file could not be found!” in an attempt to trick the victim into thinking that the program didn’t work correctly. Then, it would execute the chrset.exe file, which is meant to display the lock screen and to start a timer.

When the timer reaches zero, the program terminates the csrss.exe process, causing Windows to crash, which either results in an automatic reboot or keeps the computer in this state until the victim reboots it. When the machine reboots, the firefox32.exe file automatically starts and deletes all of the files under the victim’s %UserProfile% folder.

However, researchers warn that, since the analyzed sample was only a test version, the Hitler-Ransomware might receive updates before a final variant is released. To avoid having their files deleted, users are advised to disable the automatic reboot on Windows crash. Saving files in other directories than those in the %UserProfile% folder would also be a good idea.

Related: New Cerber Ransomware Variant Packs Improved Key Generation

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.