NitroRansomware Demands Discord Gift Codes

A twist in the ransomware tale

• The new strain is being distributed as a free gift code generator for Discord Nitro. After the ransomware executes, it encrypts the victim’s file and provides a three-hour time limit to provide a valid Discord Nitro. However, the three-hour limit is scareware.
• It adds the .givemenitro extension to the encrypted files and at the end of an encryption process, the ransomware will modify the user’s wallpaper to an evil or angry Discord logo.
• In addition, the ransomware verifies that the provided Discord gift codes are correct and then decrypts the files using a static decryption key. 
• Analysis from Bleeping Computer disclosed that because of the static nature of the decryption keys, it is possible to obtain a decryption key from the executable itself without paying $9.99.

Further attacks after infection

• It searches for a victim's Discord installation path and obtains user tokens from the *.ldb files (located under "Local Storage\leveldb) and uses Discord webhook to send these stolen tokens to the attackers.
• In addition, the ransomware implements backdoor capabilities to remotely execute commands.

Recent attacks on gift cards

• In February, a threat actor sold 895,000 stolen gift cards with a buy-now price of $20,000 (valued at $38 million) and 330,000 stolen payment cards with a buy-now price of $15,000.
• Last year, Subway loyalty program members were sent spam emails tricking them into downloading malware.

Conclusion