Nitroransomware demands gift codes as ransom payments

Pierluigi Paganini April 19, 2021

A new ransomware dubbed ‘NitroRansomware’ has appeared in the threat landscape, it demands a Discord Nitro gift code to decrypt files.

Researchers from BleepingComputer reported infections of a new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.

Discord is a free VoIP, instant messaging and digital distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communities called “servers.” Servers are a collection of persistent chat rooms and voice chat channels.

Discord also offers a Nitro subscription add-on for $9.99 per month that provides additional features, such as HD video streaming. Nitro subscriptions could also be paid as a gift for another user.

NitroRansomware has been distributed as a fake free Nitro gift code generator.

Upon executing the ransomware, it will encrypt the victim’s file and will give 3 hours to them to provide a valid Discord nitro. The malware appends the “.givemenitro” extension to the filenames of the encrypted files, at the end of an encryption process Nitroransomware will change the user’s wallpaper to an evil Discord logo.

In case the victims will not provide the Nitro gift code within three hours, the ransomware threaten to delete their encrypted files.

“This timer appears to be an idle threat as the ransomware samples seen by BleepingComputer do not delete any files when the timer reaches zero.” states BleepingComputer.

In case the victims will provide a valid Nitro gift code URL, the ransomware will use a Discord API URL to verify it and then will use an embedded static decryption key to decrypt the files.

The ransomware operators have chosen this payment method because it is quite easy for them to cash out by selling the Discord gift cards in the underground marketplaces and hacking forums.

The good news is that the presence of the decryption keys in the executable of the malware could allow researchers to obtain them and decrypt the files without paying the ransom.

BleepingComputer researchers also noted that the NitroRansomware performs other malicious activity on an infected device such as stealing Discord authentication tokens that are stored in the form of *.ldb files stored under “Local Storage\leveldb.

Once stolen the tokens are sent back to the ransomware operators over a Discord webhook.

The availability of the token could allow attackers to impersonate a Discord user and act on his behalf.

NitroRansomware also implements backdoor capabilities.

The popular expert Kevin Beaumont also shared additional information on the threat.

https://twitter.com/GossiTheDog/status/1383746145969606664

Experts recommend victims of this ransomware immediately change their Discord password, sanitize their machine, and remove and Windows account that they did not create.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nitroransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment