Malware News Hitler Ransomware

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Two days ago, AVG security researcher Jakub Kroustek discovered a quite originally named ransomware variant called the Hitler Ransomware (actually Ransonware but the grammar Nazi lying in me could not let that pass) that deletes your files as a result of bad coding.

The Hitler ransomware infection takes place when the user double-clicks on an infected binary. According to Bleeping Computer, this file drops a batch file on the user's system, which then drops three files called firefox32.exe, ErOne.vbs, and chrst.exe.

Firefox32.exe is copied to the startup folder to ensure the ransomware starts with every PC boot. ErOne.vbs shows an error when the user clicks the original executable, making him believe the file contains an error. Chrst.exe is the actual ransomware, which displays the ransom note on the user's screen, starts the encryption process and a one-hour countdown timer.

The Hitler ransomware will encrypt the user's files and also delete their original extensions. When the countdown timer reaches zero, the chrst.exe file crashes spectacularly, causing a Windows BSOD (Blue Screen of Death).

When the computer recovers from the BSOD or the user restarts the PC, he'll find that Hitler (the ransomware) has deleted all the files in his User Profile folder.

Hitler ransomware created by a German-speaking developer
As Bleeping Computer's malware analyst Lawrence Abrams points out, based on the source code comments found in the batch file, the Hitler ransomware seems to be the work of a German-speaking developer.

This notion is reinforced by the fact that Hitler asks for the ransom in Euros. In fact, the ransomware aks for the code of a €25 Vodafone telephony card.

"This ransomware appears to be a test variant," Abrams writes. "I hope this is not the actual code that this ransomware developer plans on using if it goes live."

Below we present a YouTube video showcasing the Hitler ransomware infection process, courtesy of Serbian security researcher GrujaRS.
Click to expand...

 
  • Like
Reactions: Logethica, DardiM, Davidov and 10 others
D

Deleted member 178

Surfright said:
I've spoken to the guy who creates those videos via direct message on Twitter a while ago, and he confirmed that he turns off protections just to illustrate the ransomware. He apparently only has one snapshot for both protection tests (CryptoGuard ON) and illustration videos (CryptoGuard OFF). So if you see a video from "GrujaRS" know that CryptoGuard is OFF.

Now that you know, on your request I've done some research on the Hitler ransomware and the Cerber2 crypto-ransomware. The results are expected:
  • HitmanPro.Alert does NOT stop the Hitler ransomware, as it is NOT crypto-ransomware. CryptoGuard protects against crypto-ransomware and the Hitler ransomware doesn't encrypt your data. It simply removes the file extensions from your files and then demands ransom money. Your files are not changed.
    If victims reboot their machine, the data is deleted. This deletion process doesn't happen using overwrite (CryptoGuard would've stepped in otherwise) which means victims can use a simple undelete tool to get their files back. The Hitler ransomware is not prevalent, only 1 sample on VirusTotal, and it's extremely low tech. The first time it appeared on VirusTotal, AV detection was already decent; your AV would likely have protected you against this.

  • HitmanPro.Alert STOPS the Cerber2 ransomware, because it is irreversibly encrypting your data:

    Cerber2 is highly prevalent. Like Locky or Zepto, many, many variants of Cerber2 crypto-ransomware appear on VirusTotal every day. AV detection of new obfuscated variants is high; your AV will do a good job against Cerber2.
Hope this helps.
Click to expand...

Source : HMPA thread on Wilders : HitmanPro.ALERT Support and Discussion Thread
 
  • Like
Reactions: Der.Reisende, Logethica, DardiM and 1 other person
Amiga500

Amiga500

Level 12
Verified
Jan 27, 2013
661
FrankS said:
This is a moment in which I am ashamed to be German.
"Hitler" Ransomware...what a tasteless name.
Thanks for sharing. *liked*
Click to expand...
No you should not be ashamed of being german.A lot of great things have come out of germany.
I am english and our history is far from being dirt free.
Its in the past and the modern generation should not bear the weight of past mistakes.
 
  • Like
Reactions: Der.Reisende, Logethica, Deleted Member 3a5v73x and 2 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

I hate ransomware, but this one is a BIG provocation ...
"Chrst.exe" => strange name for a Hitler ransomware, man that was like an "Anti-Christ".
FrankS said:
This is a moment in which I am ashamed to be German.
"Hitler" Ransomware...what a tasteless name.
Thanks for sharing. *liked*
Click to expand...
Don't be ashamed !
A lot of German were in the Resistance and have done a lot for freedom :)
German resistance to Nazism - Wikipedia, the free encyclopedia
 
Last edited:
  • Like
Reactions: Der.Reisende and Logethica
seanss

seanss

Level 1
Verified
Aug 8, 2016
35
exterminator20 said:
Firefox32.exe is copied to the startup folder to ensure the ransomware starts with every PC boot. ErOne.vbs shows an error when the user clicks the original executable, making him believe the file contains an error. Chrst.exe is the actual ransomware, which displays the ransom note on the user's screen, starts the encryption process and a one-hour countdown timer.
Click to expand...
Firefox.exe 32-bit, so is this ransomware trying to give you a new browser? :D But this is some nasty ransomware though
 
  • Like
Reactions: DardiM and Logethica
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News Black Basta ransomware poses as IT support on Microsoft Teams to breach networks
Replies
0
Views
804
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
Malware News macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools
Replies
0
Views
1,020
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,498
Security News
Jonny Quest
Jonny Quest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top