Hitler-Ransomware
Hitler-Ransomware is a crude Windows ransomware-like malware discovered in 2016 by AVG malware analyst Jakub Kroustek.
Profile source: Mallory opens in a new tabHitler-Ransomware
Family profile
Hitler-Ransomware is a crude Windows ransomware-like malware discovered in 2016 by AVG malware analyst Jakub Kroustek. It is also misspelled in its lock screen as "Hitler-Ransonware" and reporting assessed it as an immature test or prototype variant, with embedded German-language text such as "Das ist ein Test" suggesting possible German origin or a German-speaking author. The malware displays a lock screen featuring Adolf Hitler, falsely claims the victim's files were encrypted, and demands payment via a 25 Euro Vodafone card within one hour.
Despite its claims, the malware does not encrypt files. Instead, it removes file extensions from files in user-accessible directories including %userprofile%\Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop, as well as sample media folders under C:\Users\Public\. Analysis described the main executable as a batch file converted into an installer executable. On execution it extracts chrst.exe, ErOne.vbs, and firefox32.exe into a temporary folder under %Temp%. ErOne.vbs displays the message "The file could not be found!" to mislead the victim, and firefox32.exe is copied into the Windows Common Startup folder for persistence at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe.
The malware starts a one-hour countdown and displays the lock screen. When the timer expires, it terminates csrss.exe, causing Windows to crash with a BSOD or hang until reboot. After reboot and login, the persisted firefox32.exe component deletes files under the victim's %UserProfile% directory. While active, it also monitors for and terminates taskmgr, utilman, sethc, and cmd to hinder user intervention. Reporting compared the threat to Ranscam because it pretends to encrypt data while actually destroying it. High-confidence associated files include %Temp%\[folder].tmp\chrst.exe, %Temp%\[folder].tmp\ErOne.vbs, %Temp%\[folder].tmp\firefox32.exe, and the Startup-folder copy of firefox32.exe.
Ransomware.live
Operational record
MITRE ATT&CK
Hitler-Ransomware in ATT&CK
9 distinct techniquesReporting
Research mentioning Hitler-Ransomware
Hitler-Ransomware - Wikipedia
Hitler-Ransomware, or Hitler-Ransonware, is a form of ransomware created in 2016 originating in Germany. It requests payment within one hour; otherwise, it will delete files from the infected computer.
Thugs developing cat-themed ransomware for Androids and Hitler ransomware for PCs | Computerworld
AVG malware analyst Jakub Kroustek discovered the threat... Like the cat-themed ransomware for Android, this malware is believed to still be under development.
Hitler ‘ransomware’ offers to sell you back access to your files - but just deletes them
Cybercrooks have put together Hitler-themed ransomware that simply deletes files on encrypted PCs... “It does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown... and on reboot, delete all of the files under the [user profile] of the victim.”
This Week in Crude Attempts at Malware: 'Hitler-Ransomware'
One new and particularly eyebrow-raising example is “Hitler-Ransomware,” which, as you might expect, displays a giant picture of Hitler on your screen.
Development version of the Hitler-Ransomware Discovered
This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware, that has been discovered by AVG malware analyst Jakub Kroustek.