A new variant of ransomware shows just how low and dirty malware developers are willing to get. Even the name is offensive. When Hitler-Ransomware (yes, that’s the name) infects a computer, it locks the screen with a picture of Hitler and the phrase, “This is Hitler-Ransonware” (sic) in a black box and tells you that your files have been encrypted. The screen goes on to direct the victim how to pay the ransom to recover the encrypted files.
But here is the cruelest part to this ransomware strain: It doesn’t encrypt files. It deletes them. As Stephen Brown, director of Product Management with LANDESK, said in an email comment, this new ransomware presents two new approaches: offensive presentation and destroying files that doesn’t involve encryption. He went on to state:
Using an image of an offensive figure creates immediate negative emotions which, compounded by the ransom demand, is more likely to trigger irrational responses. Part of ransomware's power is fear the fear of loss of personally valuable files.
Brown added that the lack of encryption could mean that the developer was either lazy or inept. In lieu of encryption, the user is given an hour's warning to pay the ransom and when that doesn’t happen, the malware simply crashes the computer and begins the deletion process on the reboot.
The ransomware appears to be German in origin because some of the code in the malware is in German. In fact, that code string translates to “This is a test.” It’s why there are concerns that a more mature and more dangerous version will be showing up soon.
If the Hitler images mock the fear and disgust most of us have for ransomware, what do cat pictures do? McAfee recently discovered a new strain of ransomware targeting Android devices. It is dubbed El Gato because it uses a cat picture to lock the screen while in the background the malware is encrypting the files on the SD card. As Computerworld explained:
Once El Gato, Spanish for ‘the cat,’ is installed, the attacker can control the ransomware and send commands to the Android via a web-based control panel. McAfee Labs researcher Fernando Ruiz said the malware runs on a legitimate cloud service provider and has botnet capabilities. The kicker is that the malware uses AES encryption with a hardcoded password, making decryption ‘trivial.’
Like Hitler-Ransomware, El Gato is likely in its testing phase. It shows us that ransomware is still evolving and cybercriminals continue to come up with new tactics that play off of fear or naiveté of users.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.