For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn’t encrypt files but instead, it rewrites its content with zeroes, permanently destroying users’ data. According to German security researcher Marius Genheimer and CERT-Bund, Germany’s Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named “Lena Kretschmer.” A CV is attached as a ZIP file to these emails and contains an LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero characters), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, AVco3, OQn1B, .rjzR8, etc.. After it “encrypts” all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user’s default browser.

First signs of GermanWiper were reported earlier this week when victims started asking for help on the Bleeping Computer forums, a popular place where internet users congregate to get advice on dealing with ransomware infections. The first report came on Tuesday, July 30, and they kept piling on through the following days. The GermanWiper ransomware is currently being distributed via malicious email spam (malspam)Curiously, this is not the first ransomware with wiper tendencies that targets German-speaking users. In November 2017, Germany was targeted by a similar ransomware strain named Ordinypt (or HSDFSDCrypt).  Coincidentally, Ordinypt also used malspam for the distribution and CVs of beautiful women to get victims to infect their machines. In addition, the Ordinypt ransom note is also nearly identical to the one used by GermanWiper.

Multiple German companies were off to a rough start last week when a phishing campaign pushing a data-wiping malware targeted them and asked for a ransom. This wiper is being named GermanWiper due to its targeting of German victims and it is a destructive wiper rather than ransomware. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

Pretty big distribution campaign

First signs of GermanWiper were reported earlier this week when victims started asking for help on the Bleeping Computer forums, a popular place where internet users congregate to get advice on dealing with ransomware infections.

The first report came on Tuesday, July 30, and they kept piling on through the following days.

Michael Gillespie, the creator of ID-Ransomware, a website where ransomware victims can upload samples and identify the type of ransomware that has infected their systems, told ZDNet that currently, GermanWiper is one of the top five most active ransomware strains on his platform.

The four ransomware strains with more detections on ID-Ransomware are all strains that are distributed globally. Taking this detail into account, it’s safe to say that German-speaking users are currently under assault from GermanWiper’s operators.

Distributed via malspam

According to German security researcher Marius Genheimer and CERT-Bund, Germany’s Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns.

READ  How to Secure Cloud Infrastructure

These emails claim to be job applications from a person named “Lena Kretschmer.” A CV is attached as a ZIP file to these emails and contains an LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware.

When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero characters), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, AVco3, OQn1B, .rjzR8, etc..

After it “encrypts” all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user’s default browser. The ransom note looks like the one below. A video of the infection process is also available here.

GermanWiper ransom note
Image: ZDNet

Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won’t help users recover their files.

Second ransomware-wiper combo to hit Germany

Curiously, this is not the first ransomware with wiper tendencies that targets German-speaking users. In November 2017, Germany was targeted by a similar ransomware strain named Ordinypt (or HSDFSDCrypt).

Coincidentally, or not, Ordinypt also used malspam for the distribution and CVs of beautiful women to get victims to infect themselves. In addition, the Ordinypt ransom note is also nearly identical to the one used by GermanWiper.