LTS Secure Warning: Ransomware Dubbed “GermanWiper” Wreaks Havoc Across Germany By Destroying Files & Still Demanding For Ransom

While most of the ransomware being developed by attackers function by encrypting victim’s data & demanding them to pay a certain amount of ransom, mostly in bitcoin. GermanWiper takes a different approach at this. Rather than encrypting the data, it overwrites it with zeroes, making it worthless. Therefore, the malware falls in the category of “Wiper“.

The main purpose of these kinds of malware is usually to cause disruption to business operations. But here, the victims are still being displayed a ransom note, to cause financial damages as well.

Technical Details

The attackers are delivering the ransomware via Mal-Spam Campaigns. The mail contains an archive, which once extracted presents the victim with two PDF files, which are actually LNK shortcuts that once open will execute a powershell script & download the malware. The malware then starts with it malicious intent of wiping the victim’s data, while leaving the system files untouched to keep the device operational. Once done, a ransom note is displayed to the victim in German, requesting them to pay a certain amount of bitcoin in order to decrypt their data. However, paying the ransom in this case is useless as the data is being wiped & not encrypted.

Impact

• Downtime in Business Critical operations.
• Permanent loss of Sensitive/Confidential data.
• Operational and financial loss to the Business/Individual.

Recommended Actions

• Avoid Opening emails & attachments from unknown senders.
• Take system back-ups on regular intervals.
• Ensure that your devices are always up-to-date with the latest patches released.
• Regularly update your antivirus software & perform malware scans to protect against unknown threats.