Jakub Kroustek, an AVG malware analyst, has discovered a new piece of ransomware which uses the very popular lately technique of deleting the encrypted files if the victim doesn’t pay the ransom on time. Named Hitler-Ransomware but misspelled in the lock screen as “Hitler-Ransonware”, it locks the victim`s screen displaying a picture of Hitler and stating:
“This is the Hitler-Ransonware
Your Files was enrypted!
Do you decrypt your Files?
Buy a Vodafone Card (25€) and add the code in the TextBox!”
Anyway, it looks like this Hitler variant is just a sample based on the comments in the embedded batch file and on the fact it doesn’t actually encrypt any files at all. What it does is removing the extension of the files in some directories, displaying the lock screen and giving the victim 1 hour to pay up before the files are deleted. After the time is up the Hitler Ransomware crashes the machine, reboots is and deletes all the files under the %UserProfile% of the victim.
The German text found in the embedded batch file leads researchers to think that the crooks behind the Hitler-Ransomware are German as well. The text is the following:
“Das ist ein Test
besser gesagt ein HalloWelt
copyright HalloWelt 2016
:d by CoolNass
Ich bin ein Pro
fuer Tools für Windows”
The Hitler-Ransomware is executed onto the victim`s computer via a batch file converted into an installer executable packed together with some other applications. Once installed the ransomware will execute a batch file which will remove the extensions of the targeted files. Then it will put the chrst.exe, ErOne.vbs, and firefox32.exe files into the victim`s %Temp% folder. The firefox32.exe file will be copied into the Common Startup folder as well so it will be automatically run in a reboot process.
The ErOne.vbs script is now executed onto the machine which will trigger a “The file could not be found!” alert to mislead users to think that the program doesn’t work properly. Then the chrset.exe file will be executed which will cause the above mentioned locked screen to be displayed as well as the one hour countdown. After that one hour the program will stop the csrss.exe process which will make Windows to crash or cause a Blue Screen of Death (BSOD) error. Either way there is going to be a reboot, if not automatically the victim will do it. During the reboot process the firefox32.exe file will automatically start and delete all of the files under the victim’s %UserProfile% folder.
Given the fact that the ransomware is still a work in progress it is possible its characteristics to change once and if it`s finished.