GermanWiper: the new ransomware variant that overwrites data instead of encrypting it

Ransomware attacks are one of the most common cyber threats nowadays and hackers are increasingly trying to update their attack methods to make the biggest revenues. Specialists in system audits have reported the emergence of a new variant of malware that seems to act like ransomware; however, instead of encrypting the victims’ files, attackers overwrite all the information, so you can’t even tell they intended to restore people’s information.

The first reports, emerging a few days ago,
described the detection of a ransomware campaign attacking users in
German-speaking territories; victims of these attacks claimed that the malware
completely erased the data from the compromised system. However, cases of
infection soon occurred in other parts of Europe.

Malware, dubbed GermanWiper by system audits
specialists, is technically considered a ransomware, although the malware does
not encrypt the victim’s information, but overwrites all information with meaningless
characters, rendering useless any file stored by the victim.

This class of malware, known as wiper, is used
by disruptive threat actors that generate serious economic losses for attacked
organizations. However, the operators of this campaign do not hesitate to
demand ransoms from victims, even though their information has already been
deleted when they find the ransom note.

According to system audits experts, GermanWiper
is distributed using a massive spam campaign. Attackers send emails, supposedly
sent by job seekers to different areas of target organizations. In the email
you will find an attachment containing the malware; after running the files
containing the attachment begins the infection.

From the attachment come two files in PDF
format which are actually links to run a PowerShell command and install the
malware on the target system. When the malicious code reaches the victim’s
computer, it runs locally automatically and deletes the user’s information.

When the malware finishes this process, the
ransom note appears on the victim’s screen, which reports on the supposed
encryption of files and demands a payment of around 0.16 Bitcoin
which should be transferred to an address specified in the message. Because the
malware deletes the user’s information instead of encrypting it, it is
important that GermanWiper victims do not give in to the attackers’ demands, as
there is no way they can retrieve their information.

Specialists in system audits from the
International Institute of Cyber Security (IICS) say that, although very
limited, activity of this malware has been detected outside Germany and other
countries in Europe. Some of the countries that have reported GermanWiper
infections are Ireland, Hungary, Spain, England and even some Asian countries,
such as Taiwan and China.

As protection measures against potential
GermanWiper infections, users are advised to back up their most important
files, at the same time, it is important to remember that, if possible, these
backups should be stored in some physical location without an Internet
connection; training your employees in the detection and mitigation of spam and
phishing attacks is also advisable, however, backup is the best way to prevent
information loss by wiper malware.

To Top