A piece of wiper malware is making the rounds erasing people’s important files, with its authors demanding a modest ransom to restore the data. However, the ransomware campaign is a lie, and the operators have no intention of decrypting the data.
Over the past week, reports have emerged that a ransomware campaign is unfolding across German-speaking territories, wiping the data on every endpoint it manages to land on. However, it’s not just German-speaking territories that got hit.
What is GermanWiper?
GermanWiper, as the malware is dubbed, is technically ransomware. However, the malware actually does not encrypt the data – rather, it overwrites it with zeroes, rendering it useless.
The malware is therefore considered the ‘wiper’ type. It’s designed not to make a profit for its authors, but instead to cause disruption and financial harm to the victim. However, the operators are not shy to pocket any ransom thrown at them, as we’ll see soon.
The first infections were initially reported on the BleepingComputer forum on July 30. GermanWiper is distributed through a malicious spam campaign. The email sender purports to be a job applicant named Lena Kretschmer. One of the attached files, an archive, contains the actual malware. Expanding the archive is not enough to get infected, but running the resulted files is.
The two files inside posing as PDFs are actually LNK shortcuts that execute a PowerShell command and download the malware. Once the malicious code makes its way onto the victim’s computer, it automatically runs on the local machine and proceeds to wipe the user’s data, while excluding system files to leave the computer still operational.
When the wiper completes its malicious mission, a ransom note in German is automatically displayed. The note tells the victim that their files have been encrypted and that the only way to decrypt them is to pay 0.15038835 Bitcoin to a specified wallet address. However, GermanWiper is simply designed to erase the data. Users who fall victim GermanWiper are therefore urged not to pay ransom!
Bitdefender has detected GermanWiper’s presence, albeit ever so scarcely, across several other countries as well. As shown in the below graph, those countries include China, Taiwan, Spain, Ireland, Hungary, the US and the UK, among others. The percentage points represent GermanWiper’s presence in each country at the time of this writing.
How much have the attackers made so far?
Despite not being designed to make a profit for its authors, at least not from a technical point of view, GermanWiper can still coerce victims to pay the ransom.
The executable contains not one but three dozen base64-encoded bitcoin addresses, of which the malware selects one at random for every new victim. We searched the Blockchain database for all 36 wallets and found that most of them had a balance of zero (at the time of this writing), with no transactions yet recorded.
However, three of the wallets have so far received funds in the exact amount specified in the ransom note, meaning the operators have so far pocketed around $5,300 at Bitcoin’s current trading price.
How to protect yourself against wiper ransomware
Since GermanWiper destroys the data on the target computer, those who fall victim to GermanWiper are advised not to cave into the attackers’ demands. Keeping regular, offline backups from which to restore your data is the best defense against ransomware and / or wiper attacks. Failing to do so increases the chances of giving attackers the upper hand in case your data is held to ransom.
GermanWiper is being distributed as part of a spam campaign. Companies are advised to inform their employees on the campaign currently unfolding. As a rule of thumb, employees should be regularly instructed to keep good cyber-security hygiene and refrain from downloading any unsolicited documents as a general practice.