GermanWiper ransomware spreads via phishing emails to target companies and users in Germany

• Instead of encrypting the victims’ files, the ransomware replaces contents of all files with zeros.
• The interesting aspect of the ransomware is that the victims won’t be able to recover their files even if they pay the ransom.

A newly discovered ransomware called GermanWiper has been found targeting German users and companies with an aim to demand a ransom. The ransomware is pushed via a phishing campaign.

What are its characteristics?

The malware was first reported on the Bleeping Computer forum on July 30, 2019. The ransomware, instead of encrypting the victims’ files, replaces contents of all files with zeros. In this way, the malware works as a destructive wiper rather than ransomware.

About the ransom note

After compromising a computer and deleting files, GermanWiper leaves a ransom note indicating that the data is completely encrypted and cannot be decrypted unless 0.15038835 BTC is transferred to a listed bitcoin address.

The concerning aspect of the ransomware is that the victims won’t be able to recover their files even if they pay the ransom.

How does it spread?

GermanWiper is being distributed in Germany through a spam email. The email appears to come from a job applicant named Lena Kretschmer.

The email is sent under the subject line ‘Ihr Stellenangebot - Bewerbung [Your job offer - Application] - Lena Kretschmer’. It contains an attachment titled ‘Unterlagen_Lena_Kretschmer.zip’ posing as a document archive.

The attachment contains two files that pretend to be PDF resumes. These PDFs are actually shortcuts to .LNK file that executes a Powershell command to download an HTA file. When the HTA file is executed, it will download the ransomware and save it to the C:\Users\Public folder as an executable with a three-letter file name.

Although it does not encrypt files, the ransomware tricks the victims to make it look like an encryption process occurred. Each file is appended with a random 5 character extension such as .08kJA, .AVco3, or .Fi2Ed.

After completing the deletion process, GermanWiper removes the shadow volume copies and disables Windows automatic startup repair by launching a set of commands.

Later, it creates a ransom note named Fi2Ed_Entschluesselungs_Anleitung.html which includes Bitcoin address that is unique to a victim.

Wiping out selected files

The ransomware scans the affected system for files to destroy. When wiping files, it skips files that have certain names, extensions or are located in particular folders. This includes:

• windows
• recycle.bin
• mozilla
• google
• boot
• application data
• appdata
• program files
• program files (x86)
• programme
• programme (x86)
• programdata
• perflogs
• intel
• msocache
• system volume information

The reason for skipping them is because they are essential for Windows booting properly and for browsing the web.