Tech

GermanWiper ransomware hits Germany hard, destroys files, asks for ransom

Users advised not to pay the ransom under any circumstances!

Written by Catalin Cimpanu, Contributor Aug. 2, 2019 at 11:33 a.m. PT

For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data.

As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files.

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

Unless users had created offline backups of their data, their files are most likely gone for good.

For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

Pretty big distribution campaign

First signs of GermanWiper were reported earlier this week when victims started asking for help on the Bleeping Computer forums, a popular place where internet users congregate to get advice in dealing with ransomware infections.

The first report came on Tuesday, July 30, and they kept piling on through the following days.

Michael Gillespie, the creator of ID-Ransomware, a website where ransomware victims can upload samples and identify the type of ransomware that has infected their systems, told ZDNet that currently GermanWiper is one of the top five most active ransomware strains on his platform.

IDR detections for GermanWiper — Image: Michael Gillespie

The four ransomware strains with more detections on ID-Ransomware are all strains that are distributed globally. Taking this detail into account, it's safe to say that German-speaking users are currently under assault from GermanWiper's operators.

Distributed via malspam

According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns.

⚠️ Angreifer versenden aktuell gefälschte Bewerbungen im Namen von "Lena Kretschmer" zur Verbreitung der #Ransomware #GermanWiper. Nicht die Anhänge der Mail öffnen! ⚠️ pic.twitter.com/rpDBReqQYX
— CERT-Bund (@certbund) August 2, 2019

These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware.

When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc..

After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here.

Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

Second ransomware-wiper combo to hit Germany

Curiously, this is not the first ransomware with wiper tendencies that targets German-speaking users. In November 2017, Germany was targeted by a similar ransomware strain named Ordinypt (or HSDFSDCrypt).

Coincidentally, or not, Ordinypt also used malspam for distribution and CVs of beautiful women to get victims to infect themselves. In addition, the Ordinypt ransom note is also nearly identical with the one used by GermanWiper.

ZDNet would like to thank security researcher @James_inthe_box for his help with this report.