GermanWiper is a new strain of ransomware, CCN reports. It calls it “insidious”, because even after you pay the ransom for the return of your data, it will not be returned. That is because the data has been destroyed.
CCN says, “The malware, GermanWiper, tells victims it has encrypted their data, when in reality it has erased it completely. It then demands 0.15038835 BTC (approximately $1,750) under the pretext of offering victims a chance to get their data back.”
Apparently, for now, GermanWiper has primarily affected Microsoft Windows users in Germany, says Bleeping Computer. It uses a devious phishing campaign to target and infect business computers. Furthermore, the hackers package the malware in emails that appear to be from job applicants.
On Bleeping Computer forums, “some of those who have encountered the Bitcoin ransomware indicated that the phishing emails look like serious and highly professional job applications — complete with perfect grammar and spelling.”
One forum member posted: “My ‘customer’ was expecting job applications, as they had an advert posted with the ‘Bundesagentur für Arbeit’ (aka Jobcenter) and from what I have gathered from the Internet other victims also had jobs to offer. Pictures and other info were stolen from Xing it would seem. The grammar and spelling was good, and everything seemed in order. So no chance for the regular user to avoid this trap.”
Other reported that emails coming from a supposed job applicant called Lena Kretschmer contain zip files containing what looks like PDF documents. However, they are not PDF files but rather shortcuts, which launch a series of events that download and install the malware.
Most ransomware attacks return data once the hackers have received their payment. However, GermanWiper overwrites all the data with a series of zeroes and ones.
CCN warns, “Since there is no chance of recovering the destroyed data, GermanWiper victims shouldn’t even think about sending any Bitcoin to the hackers.”