Skip to content
Ransomware group

Hitler-Ransomware

Hitler-Ransomware is a crude Windows ransomware-like malware discovered in 2016 by AVG malware analyst Jakub Kroustek.

Profile source: Mallory opens in a new tab

Hitler-Ransomware

Family profile

Hitler-Ransomware is a crude Windows ransomware-like malware discovered in 2016 by AVG malware analyst Jakub Kroustek. It is also misspelled in its lock screen as "Hitler-Ransonware" and reporting assessed it as an immature test or prototype variant, with embedded German-language text such as "Das ist ein Test" suggesting possible German origin or a German-speaking author. The malware displays a lock screen featuring Adolf Hitler, falsely claims the victim's files were encrypted, and demands payment via a 25 Euro Vodafone card within one hour.

Despite its claims, the malware does not encrypt files. Instead, it removes file extensions from files in user-accessible directories including %userprofile%\Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop, as well as sample media folders under C:\Users\Public\. Analysis described the main executable as a batch file converted into an installer executable. On execution it extracts chrst.exe, ErOne.vbs, and firefox32.exe into a temporary folder under %Temp%. ErOne.vbs displays the message "The file could not be found!" to mislead the victim, and firefox32.exe is copied into the Windows Common Startup folder for persistence at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe.

The malware starts a one-hour countdown and displays the lock screen. When the timer expires, it terminates csrss.exe, causing Windows to crash with a BSOD or hang until reboot. After reboot and login, the persisted firefox32.exe component deletes files under the victim's %UserProfile% directory. While active, it also monitors for and terminates taskmgr, utilman, sethc, and cmd to hinder user intervention. Reporting compared the threat to Ranscam because it pretends to encrypt data while actually destroying it. High-confidence associated files include %Temp%\[folder].tmp\chrst.exe, %Temp%\[folder].tmp\ErOne.vbs, %Temp%\[folder].tmp\firefox32.exe, and the Startup-folder copy of firefox32.exe.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

Hitler-Ransomware in ATT&CK

9 distinct techniques

Reporting

Research mentioning Hitler-Ransomware

Feb 10
Wikipedia Cyber Incidents

Hitler-Ransomware - Wikipedia

Hitler-Ransomware, or Hitler-Ransonware, is a form of ransomware created in 2016 originating in Germany. It requests payment within one hour; otherwise, it will delete files from the infected computer.

Aug 10
Web Archive

Thugs developing cat-themed ransomware for Androids and Hitler ransomware for PCs | Computerworld

AVG malware analyst Jakub Kroustek discovered the threat... Like the cat-themed ransomware for Android, this malware is believed to still be under development.

Aug 10
The Register

Hitler ‘ransomware’ offers to sell you back access to your files - but just deletes them

Cybercrooks have put together Hitler-themed ransomware that simply deletes files on encrypted PCs... “It does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown... and on reboot, delete all of the files under the [user profile] of the victim.”

Aug 9
Vice

This Week in Crude Attempts at Malware: 'Hitler-Ransomware'

One new and particularly eyebrow-raising example is “Hitler-Ransomware,” which, as you might expect, displays a giant picture of Hitler on your screen.

Aug 8
Bleeping Computer

Development version of the Hitler-Ransomware Discovered

This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware, that has been discovered by AVG malware analyst Jakub Kroustek.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.