GermanWiper: the new ransomware variant that overwrites data instead of encrypting it

Ransomware attacks are one of the most common cyber threats nowadays and hackers are increasingly trying to update their attack methods to make the biggest revenues. Specialists in system audits have reported the emergence of a new variant of malware that seems to act like ransomware; however, instead of encrypting the victims’ files, attackers overwrite all the information, so you can’t even tell they intended to restore people’s information.

The first reports, emerging a few days ago, described the detection of a ransomware campaign attacking users in German-speaking territories; victims of these attacks claimed that the malware completely erased the data from the compromised system. However, cases of infection soon occurred in other parts of Europe.

Malware, dubbed GermanWiper by system audits specialists, is technically considered a ransomware, although the malware does not encrypt the victim’s information, but overwrites all information with meaningless characters, rendering useless any file stored by the victim.

This class of malware, known as wiper, is used by disruptive threat actors that generate serious economic losses for attacked organizations. However, the operators of this campaign do not hesitate to demand ransoms from victims, even though their information has already been deleted when they find the ransom note.

According to system audits experts, GermanWiper is distributed using a massive spam campaign. Attackers send emails, supposedly sent by job seekers to different areas of target organizations. In the email you will find an attachment containing the malware; after running the files containing the attachment begins the infection.

From the attachment come two files in PDF format which are actually links to run a PowerShell command and install the malware on the target system. When the malicious code reaches the victim’s computer, it runs locally automatically and deletes the user’s information.

When the malware finishes this process, the ransom note appears on the victim’s screen, which reports on the supposed encryption of files and demands a payment of around 0.16 Bitcoin which should be transferred to an address specified in the message. Because the malware deletes the user’s information instead of encrypting it, it is important that GermanWiper victims do not give in to the attackers’ demands, as there is no way they can retrieve their information.

Specialists in system audits from the International Institute of Cyber Security (IICS) say that, although very limited, activity of this malware has been detected outside Germany and other countries in Europe. Some of the countries that have reported GermanWiper infections are Ireland, Hungary, Spain, England and even some Asian countries, such as Taiwan and China.

As protection measures against potential GermanWiper infections, users are advised to back up their most important files, at the same time, it is important to remember that, if possible, these backups should be stored in some physical location without an Internet connection; training your employees in the detection and mitigation of spam and phishing attacks is also advisable, however, backup is the best way to prevent information loss by wiper malware.