Home / malwarePDF  


First posted on 15 August 2016.
Source: SecurityHome

Aliases :

There are no other names known for Hitler-Ransomware.

Explanation :

Hitler-Ransonware (sic) has started invading users' PCs, demanding ?25 - yes, just ?25 - or the deletion of all files in the User Profile folder.

However, although the malware claims to encrypt the files, security analysis reveals that it actually crashes a series of processes before crashing the PC after an hour, deleting the files on reboot.

The ?25 ransom isn't the only indication that the malware is probably the work of a ?script kiddie' rather than a syndicate.

Unlike many ransomware variants, it doesn't seek to encrypt files. Rather, it locks the screen and demands payment. The files are deleted if the victim delays the payment for longer than an hour.

Hitler-Ransonware is propagated via basic spam emails with fake PDF or Microsoft Word attachments that don't open when launched. The malware then silently drops two files called chrst.exe and firefox32.exe to %TEMP%[random name].tmp, according to reports.

Rather than going to all the trouble of encrypting files, it simply removes their file extensions so that they don't open unless manually renamed.

The ransomware is so-called because infected systems display a lock screen with a photo of Hitler, giving the end user just one hour to to pay up before the files are deleted and the PC is borked.

The malware's author appears to be German-speaking, and presumably living in a country in which Vodafone operates as the ?25 payment must be made in the form of a Vodafone telephone card. The code on the card needs to be tapped into the PC before the hour is up.

The analysis also indicates that the ransomware is a test version. Indeed, the words 'This is a test' among comments in the code are something of a giveaway. The coder appears to go by the name 'Cool Wet', which is frankly a rubbish name for a hacker.

This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all, Instead this malware will remove the extension for all of the files under various directories, display a lock screen and then show a one-hour countdown as shown in the lock screen.

After that hour it will crash the victim's computer, and on reboot delete all of the files under the %UserProfile% of the victim.

The crash is caused by the termination of the csrss.exe process, which will instantly blue screen the PC. On restart, firefox32.exe will automatically start and delete all the User Profile files.

While the ransomware is running it will constantly look for any processes that have the names taskmgr, utilman, sethc or cmd. If one of these processes is detected, it will terminate them.

Last update 15 August 2016