Security Experts:

Unfinished Hitler-Ransomware Variant Deletes User Files

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

The ransomware appears to be under development, with an unfinished version leaking online, but might also be the work of less skilled developers, BleepingComputers’ Lawrence Abrams notes. The malware includes some spelling errors within the interface and does not encrypt user files, but can do significant harm to infected systems.

To be more precise, the Hitler-Ransomware (or Hitler-Ransonware, as it is misspelled on the lock screen), removes all extensions from the files under various directories, displays a lock screen featuring Hitler, and starts a one hour countdown. After an hour, the malware would crash the victim’s computer and would delete all the files under %UserProfile% upon reboot.

Discovered by AVG malware analyst Jakub Kroustek, the ransomware’s code reveals that it might have been created by a German developer. German text found in an embedded batch file reveals that the malware sample might indeed be only a test version.

According to researchers, the ransomware’s executable is a batch file that has been converted into an installer executable with some other bundled applications. Upon execution, the ransomware runs a batch file destined to remove all file extensions for the files in the %UserProfile% Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop folders.

Next, the ransomware extracts three files into the %Temp% folder on the victim’s machine, namely chrst.exe, ErOne.vbs, and firefox32.exe. On top of that, the malware copies the firefox32.exe file into the Common Startup folder to ensure that it runs at boot.

The next step is to run the ErOne.vbs script, which displays an alert saying “The file could not be found!” in an attempt to trick the victim into thinking that the program didn’t work correctly. Then, it would execute the chrset.exe file, which is meant to display the lock screen and to start a timer.

When the timer reaches zero, the program terminates the csrss.exe process, causing Windows to crash, which either results in an automatic reboot or keeps the computer in this state until the victim reboots it. When the machine reboots, the firefox32.exe file automatically starts and deletes all of the files under the victim's %UserProfile% folder.

However, researchers warn that, since the analyzed sample was only a test version, the Hitler-Ransomware might receive updates before a final variant is released. To avoid having their files deleted, users are advised to disable the automatic reboot on Windows crash. Saving files in other directories than those in the %UserProfile% folder would also be a good idea.

Related: New Cerber Ransomware Variant Packs Improved Key Generation

Related: Satana Ransomware Encrypts MBR and User Files

view counter