NitroRansomware, the newest ransomware on the block, has been discovered demanding Discord Nitro gift codes from victims. Discord Nitro is a subscription plan that costs $9.99 and offers various features to its users. It is unusual for ransomware actors to be demanding gift codes instead of actual money.
A twist in the ransomware tale
The ransomware was first discovered by MalwareHunterTeam, and other researchers looked into how the code works.
- The new strain is being distributed as a free gift code generator for Discord Nitro. After the ransomware executes, it encrypts the victim’s file and provides a three-hour time limit to provide a valid Discord Nitro. However, the three-hour limit is scareware.
- It adds the .givemenitro extension to the encrypted files and at the end of an encryption process, the ransomware will modify the user’s wallpaper to an evil or angry Discord logo.
- In addition, the ransomware verifies that the provided Discord gift codes are correct and then decrypts the files using a static decryption key.
- Analysis from Bleeping Computer disclosed that because of the static nature of the decryption keys, it is possible to obtain a decryption key from the executable itself without paying $9.99.
Further attacks after infection
After infection, the ransomware steals Discord tokens from victims to hack Discord servers.
- It searches for a victim's Discord installation path and obtains user tokens from the *.ldb files (located under "Local Storage\leveldb) and uses Discord webhook to send these stolen tokens to the attackers.
- In addition, the ransomware implements backdoor capabilities to remotely execute commands.
Recent attacks on gift cards
The Stolen gift, loyalty codes, and cards contribute to big businesses in the cyber-underground marketplaces.
- In February, a threat actor sold 895,000 stolen gift cards with a buy-now price of $20,000 (valued at $38 million) and 330,000 stolen payment cards with a buy-now price of $15,000.
- Last year, Subway loyalty program members were sent spam emails tricking them into downloading malware.
Researchers suggest that users infected with the ransomware immediately change their Discord passwords. In addition, they are suggested to perform an antivirus scan to spot other malicious programs added to the system. Furthermore, users should look for and remove any new accounts in Windows that they did not create.