GermanWiper: A Ransomware That Deletes Files Even If Ransom Is Paid

Several German businesses and organizations have been targeted by a sophisticated and ruthless ransomware attack that did not only ubiquitously demand ransom but also wipes all the files of the victims amidst paying the money the attackers asked for. Appropriately cybersecurity experts call it the GermanWiper.

The ransomware, which was first flagged by researchers from Bleeping Computer, Tuesday, July 30, was discovered to be a wiper and not a data encryptor. This means that the moment the ransomware infected a system, all the files were wiped instead of encrypted.

The researchers led by  Michael Gillespie said that once the ransomware infects a computer or a device, the GermanWiper will effectively destroy files in the infected system. Despite not having a redemption once infected, the attackers of the now infamous ransomware would still demand the victims to transfer BTC 0.15038835 or approximately $1,600 to a listed bitcoin address. Gillespie said that even if the victims pay the ransom, nothing will be salvaged from the files because there is nothing to decrypt anymore since the ransomware replaces the files with a series of binary numbers, making it impossible to decrypt.

“Even if a victim pays the ransom, the money is wasted because the malware does not encrypt the data but overwrites it with zeroes and ones, destroying it,” Bleeping Computer reports in a forum.

Distribution strategy and how the ransomware works

The GermanWiper ransomware is being distributed across Germany through an elaborate phishing campaign where a certain Lena Kretschmer would pose as a job seeker and send companies her supposed resume. The emails being sent have the subject “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer” and contain an attachment titled “” posing as a document archive.

Image from Bleeping Computer

The attached compressed file in the email sent through the fraudulent email contains the ransomware. Once unsuspecting victims extract the file from the attachment,  they will find two files that pretend to be PDF resumes for the sender.

Security researcher James found that these PDFs are actually “shortcuts (LNK) that execute a PowerShell command to download an HTA file from the expandingdelegation[.]top site and launch it on the local machine.” When the HTA file is executed, it will download the GermanWiper ransomware and save it to the victim’s computer as an executable with a “three letter file name,” the researchers said.

The analysis made by Bleeping Computer analysts revealed that in order to make the destruction of the files possible, the ransomware would terminate processes associated with the database and other software so that the files can be accessed by the file-destroying malware. The following processes are terminated upon execution of the ransomware:

  • notepad.exe
  • dbeng50.exe
  • sqbcoreservice.exe
  • encsvc.exe
  • mydesktopservice.exe
  • isqlplussvc.exe
  • agntsvc.exe
  • sql.exe
  • sqld.exe
  • mysql.exe
  • mysqld.exe
  • oracle.exe

When these processes are terminated, the ransomware would then scan the entire computer to locate files and delete them, making exemptions to certain files with a specific file name, extensions, and/or located in particular folders. Files in folders like windows, recycle.bin, mozilla, google, boot, application data, appdata, program files, program files (x86), programme, programme (x86), programdata, perflogs, intel, msocache, system volume information are spared from the ransomware’s havoc.

As mentioned earlier, the wiping of the victims’ files is done by overwriting the programs with a series of zeroes and ones. To make it believable that the files were encrypted rather than deleted; the ransomware would also append random file extensions like .08kJA, .AVco3, or .Fi2Ed to the users’ files.

Once all of these processes are undertaken in the victim’s computer, a ransom note would pop up named Fi2Ed_Entschluesselungs_Anleitung.html demanding the victim to pay bitcoin to the attackers for their files to be “decrypted.” The ransom note will also appear in the victims’ screen with a message that translates to “Open Fi2Ed_Entschluesselungs_Anleitung.html to find out how to decode your files.”

The ransom note. Photo: Bleeping Computer

Furthermore, the attackers also designed the ransomware to generate a unique bitcoin address for each victim supposedly randomly; however, the researchers have discovered that the attacker only has 36 base64-encoded bitcoin addresses and that the ransomware will randomly pick one to assign to a victim.

Interestingly, the ransom note sent out by the attackers also includes a JavaScript that counts how many systems have been affected by the ransomware. The script “connects to the wiper’s C2 server and sends the bitcoin address associated with the victim and other information. As the ransom note is automatically opened by the wiper at the end of execution, the attacker uses this script to track the number of victims.”

Be the first to comment on "GermanWiper: A Ransomware That Deletes Files Even If Ransom Is Paid"

Leave a comment

Your email address will not be published.