GermanWiper Ransomware Hits Germany Hard, Destroys Files, Asks For Ransom

An anonymous reader quotes a report from ZDNet: For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.. After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here. Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

This is, in fact, a good thing

[mark-t]

If the user's data is irrecoverable, then it will discourage people's trust in the person who would allegedly provide a decryption key. It undermines all future ransomware infections, because it will make it less likely that the perpetrators will receive any payment, creating a disincentive to continue.

Re:

[mark-t]

I think you misunderstand my point.... if people don't believe that they'll get their data back if they pay the ransom, then things like this undermine future infections, because the entire point of them is just to get the ransomware distributor paid, not to simply encrypt user data.

Re:

[mark-t]

When real ransomware comes out inevitably people do pay that and post that they were able to decrypt on forums in various places

Sure... but they will only pay if they believe that paying will actually get their data back. Stories like this undermine the credibility of future ransomware distributors who may promise they can recover their data, but people may start believing that their data is irrecoverably lost, and paying the "ransom" is just flushing money down the toilet.

Re:

[mark-t]

Of course, but absolutely *nobody* is going to send money to try and get their data back if they believe that it won't make any difference.

Stories like this, with software that masquerades as ransomware but actually leaves the files in an irrecoverable state, will cause people who either experience it or hear about it, to be less trusting if or when so-called "real" ransomware hits in the future, and they will be correspondingly less likely to pay the ransom.

Which is, as I said, a good thing.

Re:

[mark-t]

People aren't stupid, even most of the ones paying the ransoms.

These two statements are mutually exclusive.

If they weren't stupid, they wouldn't need to pay the ransom.

And paying the ransom only further incentivizes these kinds of things to continue.

And the point is that this is *masquerading* as ransomware, so yeah... people aren't going to generally be able to tell the difference.

Re:

[JustAnotherOldGuy]

Sure... but they will only pay if they believe that paying will actually get their data back. Stories like this undermine the credibility of future ransomware distributors who may promise they can recover their data, but people may start believing that their data is irrecoverably lost, and paying the "ransom" is just flushing money down the toilet.

Exactly. If you believe that you won't get your data back, why pay the ransom?

Re:

[mark-t]

People aren't going to assume a wiper attack is related to an unrelated crypto ransom

Unless, like this story describes, the wiper attack is deliberately masquerading as ransomware.

Re:

[mark-t]

That's my point, which is why stories like this undermine the very idea of ransomware because they draw into question whether paying the ransom will actually even produce any benefit.

Re: This is, in fact, a good thing

[Anonymous Coward]

I find most ransomware authors to be bright and very competent. They generally provide a reasonable service at a reasonable price so there's often not much to complain about (though whiners always do)

Re:

[Anonymous Coward]

As long as you consider extortion reasonable.

Re:

[trek00]

may be their virus is bugged and they need to distribute an update? who knows if windows update can help them :)

Re:

[ctilsie242]

This has echoes of the 1990s and 2000s where PC viruses started to become so malicious that people actually started taking action. When people started having their monitors fry due to being set to too high a refresh rate, or the BIOS of their computer zeroed out, people and businesses started doing something about it. PCs had tape drives, and people used ZIP drives to copy files to, to ensure stuff was backed up. That lesson seems to have been lost when MS-DOS viruses became irrelevant, and most malware

Re:

[Rosco P. Coltrane]

Exactly.

I keep reading about victims of ransomware and phishing... But I've always had trouble seeing the "victims" as anything but idiots and dummies. The same kind of people who fail to understand they shouldn't follow strangers as a kid, eat that yellow snow or write their pin number on their credit card. You know, basic common sense...

Just because it's a computer, these people somehow think clicking on a link in an email from a stranger or visiting random websites entitles them to victimhood status. Wel

Re:

[nukenerd]

Just because it's a computer, these people somehow think clicking on a link in an email from a stranger or visiting random websites entitles them to victimhood status. Well, nope, they're just idiots.

Then I'm an idiot, always suspected it and now I know. Every website is random when you first go there, including this one.

I figured this would happen :-(

[Rick Schumann]

Get some real fancy bike locks for your bike, make it hard/impossible to steal? Thieves will just fuck up your bike in retaliation: if they can't have it, they'll ensure you can't either. So, sadly, it seems to go with ransomware; some company has come up with ways to recover the encryption key without paying the so-called 'ransom', so the ransomware assholes just decide to start destroying data in retaliation. Wish I could say I was surprised.

Re:

[thegarbz]

Your post doesn't make any sense. The only companies that are able to recover the encryption keys are those who are dealing with malware which has actual faults in its algorithm. The comparison between locking your bike is completely silly.

And no. Thieves don't generally fuck up your bike if you make it impossible to steal, they only ever fuck up the lock trying to get it open, so even from a people perspective your post doesn't make any sense at all.

Re:

[BarbaraHudson]

I had someone try to steal my bike, they could not get the lock upen, so they trashed the rims. End result way I still had my bike, it cost me 2 rims and a bunch of spokes, and some time, and they didn't have a bike.

Re:

[Rick Schumann]

Or perhaps your experiences in life don't line up with mine and that of people I've known therefore you can't conceive of what I'm referring to? Or do you really think I just make things up for the hell of it?
Consider this: perhaps you've been so blessed in your life that you've never encountered the criminal mind before, therefore have no basis to understand how they think sometimes. If so count yourself lucky, it must be nice and calm and pleasant in your head most of the time. ;-)

Re:

[Mal-2]

Thieves don't fuck up your bike because they can't break the lock -- but bullies and assholes certainly do. That's when the bike chain serves better as a weapon than a security device.

Re:

[Kjella]

So, sadly, it seems to go with ransomware; some company has come up with ways to recover the encryption key without paying the so-called 'ransom'

I doubt this is written by any actual ransomware writers, since it's not that hard to do right. Symmetric encrypt the fi les, create a PGP message to yourself with the key and wipe the key from memory. Whatever decryption service you run checks the Bitcoin payment, decrypts the PGP message and hands the symmetric key back to you. The basic proof of concept is so easy I could whip it up in a couple hours, a full service maybe a day or two. This is probably some copycats who got real lazy, yeah we could try t

Re:

[Rick Schumann]

Could be; you're not wrong. But I stand by what I said above as a possibility in some cases. Thwarted criminals can be as vindictive as anyone else, and if they're being thwarted by some White Hats, 'upping the ante' by 'killing the hostages, one by one' (i.e. overwriting files) 'until your demands are met' (pay us the Bitcoin, bitches!) really doesn't seem that far-fetched to me. Also consider that these ransomware jackasses are not 'honorable' in the least; just because you decide to pay them (which you s

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BarbaraHudson]

If we're going to get into conspiracy theories, follow the money. Maybe it's a consortium of backup services vendors ...

Occam's razor says it's what it looks like - someone who is trying to get people to pay a ransom, and they will take the money and run.

Re:

[Rick Schumann]

Hmm, that hadn't occurred to me; good thinking on your part. Not at all unheard-of for intelligence ops to masquerade as mere criminal activity, since cosmetically-speaking there isn't much difference between the two.
Now you've got me thinking: how about industrial espionage/industrial warfare? Sabotage your competitors in a false-flag op, making it look like just common cybercriminals? Can't offhand think of an example I've seen in the news thata would fit that profile but it would fit.

can some rent a rack then backpack an magnet

[Joe_Dragon]

can some rent a rack then backpack an magnet to wipe out all the other racks?

This may be a good thing

[spitzak]

If people learn that they may not get their data back after paying the ransom, perhaps they will stop paying the ransom and that would put all the ransomware purveyors out of business.

not the germans!

[n3r0.m4dski11z]

What did they ever do to anyone!

But does it run on Linux?

[mspohr]

Windows users have all the fun.