3 min read

Beware of GermanWiper – the ransomware that is not ransomware

Filip TRUȚĂ

August 05, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Beware of GermanWiper – the ransomware that is not ransomware

A piece of wiper malware is making the rounds erasing people”s important files, with its authors demanding a modest ransom to restore the data. However, the ransomware campaign is a lie, and the operators have no intention of decrypting the data.

Over the past week, reports have emerged that a ransomware campaign is unfolding across German-speaking territories, wiping the data on every endpoint it manages to land on. However, it”s not just German-speaking territories that got hit.

What is GermanWiper?

GermanWiper, as the malware is dubbed, is technically ransomware. However, the malware actually does not encrypt the data – rather, it overwrites it with zeroes, rendering it useless.

The malware is therefore considered the “wiper” type. It”s designed not to make a profit for its authors, but instead to cause disruption and financial harm to the victim. However, the operators are not shy to pocket any ransom thrown at them, as we”ll see soon.

The first infections were initially reported on the BleepingComputer forum on July 30. GermanWiper is distributed through a malicious spam campaign. The email sender purports to be a job applicant named Lena Kretschmer. One of the attached files, an archive, contains the actual malware. Expanding the archive is not enough to get infected, but running the resulted files is.

The two files inside posing as PDFs are actually LNK shortcuts that execute a PowerShell command and download the malware. Once the malicious code makes its way onto the victim”s computer, it automatically runs on the local machine and proceeds to wipe the user”s data, while excluding system files to leave the computer still operational.

When the wiper completes its malicious mission, a ransom note in German is automatically displayed. The note tells the victim that their files have been encrypted and that the only way to decrypt them is to pay 0.15038835 Bitcoin to a specified wallet address. However, GermanWiper is simply designed to erase the data. Users who fall victim GermanWiper are therefore urged not to pay ransom!

Not Germany-bound

Bitdefender has detected GermanWiper”s presence, albeit ever so scarcely, across several other countries as well. As shown in the below graph, those countries include China, Taiwan, Spain, Ireland, Hungary, the US and the UK, among others. The percentage points represent GermanWiper”s presence in each country at the time of this writing.

How much have the attackers made so far?

Despite not being designed to make a profit for its authors, at least not from a technical point of view, GermanWiper can still coerce victims to pay the ransom.

The executable contains not one but three dozen base64-encoded bitcoin addresses, of which the malware selects one at random for every new victim. We searched the Blockchain database for all 36 wallets and found that most of them had a balance of zero (at the time of this writing), with no transactions yet recorded.

However, three of the wallets have so far received funds in the exact amount specified in the ransom note, meaning the operators have so far pocketed around $5,300 at Bitcoin”s current trading price.

How to protect yourself against wiper ransomware

Since GermanWiper destroys the data on the target computer, those who fall victim to GermanWiper are advised not to cave into the attackers” demands. Keeping regular, offline backups from which to restore your data is the best defense against ransomware and / or wiper attacks. Failing to do so increases the chances of giving attackers the upper hand in case your data is held to ransom.

GermanWiper is being distributed as part of a spam campaign. Companies are advised to inform their employees on the campaign currently unfolding. As a rule of thumb, employees should be regularly instructed to keep good cyber-security hygiene and refrain from downloading any unsolicited documents as a general practice.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read