GermanWiper ransomware targets German organizations via malspam campaigns – deletes all files and still demands ransom
Security experts spotted a new ransomware strain that targets German organizations and regular users. Named GermanWiper, the malware is actively being distributed via the spam email attachments that pretend to be from a job applicant. As soon as the malicious .zip file is executed, the ransomware starts its file deletion process.
Unlike most other ransomware viruses that lock all the files by using the encryption algorithm, GermanWiper replaces all the data of the file with zeros, consequently destroying it. However, a random file extension is added to each of the compromised files in order to make it look like files have been encrypted rather than wiped out. Therefore, users and company representatives should be aware that paying the ransom is useless, as data is permanently corrupted as soon as the malicious payload is executed on the machine.
Cert-Bund, the Federal computer emergency response team of Germany, tweeted on August 2 about the ongoing malware campaign, and prompted users not to open the contaminated email attachments and asked blocking all the emails coming from stadtmailer[.]com (18.104.22.168) and the HTTP access to expandingdelegation[.]top domain.
Cert-Bund also sent a warning about the campaign:
Attackers currently send fake applications on behalf of “Lena Kretschmer” for the distribution #Ransomware #GermanWiper. Do not open the attachments of the mail!
The campaign starts with seemingly innocent job application from “Lena Kretschmer”
The attackers behind GermanWiper came with an elaborate phishing email that could trick many, as the email seems extremely legitimate, especially if the company is actually hiring. Considering that the spam email is sent as an application form from a person seemingly named “Lena Kretschmer,” it is highly likely that hackers carefully choose their targets.
The malicious email contains two documents – a picture file Lena_Kretschmer_Bewerbungsfoto.jpg and a compressed file Unterlaged_Lena_Kretschmer.zip. The body of the letter explains the attachments are there for the recipients to see the full CV. At this point, most of the users who receive an email notice no foul play.
The contents of the .zip file are two PDFs, or at least it may seem so at first, as they are obfuscated LNK shortcuts that start a PowerShell command that downloads and executes the malicious HTA executable from expandingdelegation[.]top domain.
The main payload is saved in the C:\\Users\\Public folder, which consequently starts the file deletion process. Once completed, victims are presented with a ransom note which is named by using a random combination of letters and comes in an HTML format.
According to the note, victims are asked to pay 0.15038835 BTC to the provided Bitcoin wallet in order to retrieve access to files. However, as discovered by experts, file decryption is not possible because they get corrupted as soon as the malware enters the computer.
GermanWiper might be trying to disrupt the operation of various sectors in the country
It is yet not clear why GermanWiper is targeting German-based companies only, but some experts claimed that the attackers are trying to disrupt the operation of various sectors of the country. Nevertheless, there is no confirmation whether a particular industry is affected or the targets are chosen at random, and no names of the targets are yet provided.
Security experts note that GermanWiper campaign shows many similarities to the REvil/Sodinokibi strain, that used the German national cybersecurity authority (BSI) name to distribute its malicious payload within the contaminated email attachments which also used PowerShell commands to download and install the ransomware. However, Sodinokibi does not erase data but encrypts it, just as most of traditional file locking viruses do.
Interestingly, GermanWiper is not the first data-wiping malware that struck Germany. Back in 2017, Germany was targeted by another wiper called OdinCrypt, which was also distributed as an attachment of a fake CV.