Security researchers are warning of new Hitler-themed ransomware designed to crash victims’ PCs and then delete all files after just one hour if its author isn’t paid.
First discovered by AVG malware analyst, Jakub Kroustek, the new variant requires users to merely enter a cash code for a €25 Vodafone Card as ransom.
It appears to be a test variant, judging by the comments in the embedded batch file and because it doesn’t actually encrypt any files, according to Bleeping Computer, which reviewed the malware.
“Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below. After that hour it will crash the victim's computer, and on reboot, delete all of the files under the %UserProfile% of the victim.”
The amateur nature of the variant is also accentuated by the fact that the word “ransomware” is misspelled in the lock screen as ‘Hitler-Ransonware.’
While it’s running, the ransomware will be on the lookout for any processes with the names taskmgr, utilman, sethc, or cmd – apparently terminating them if detected.
Stephen Brown, director of product management at Landesk, explained there are several steps users can take to mitigate the risk of infection, including being cautious about opening attachments and browsing sites.
Patched software, up-to-date AV, restricted access rights, user training, app whitelisting, disabled macros, and the containerization of separate environments can all help lower risk further, he added.
“Not all files are permanently lost. In the case of Hitler ransomware, a file recovery tool may be able to help,” Brown claimed. “Some ransomware has been cracked and there are utilities for decrypting files. Do some research or get an expert to help see if your data is recoverable.”
Organizations are also urged to keep data backed-up, with at least one copy stored offsite/offline.