BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.

Although Discord is a free VoIP, they offer a $9.99 per month Nitro subscription add-on that provides additional benefits, such as larger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server.

discord-nitro-gift image heimdal security

Image Source: BleepingComputer

Unlike other types of ransomware attacks which demand thousands, if not millions, of dollars, NitroRansomware deviates from the norm by demanding a $9.99 Nitro Gift code instead.

As per BleepingComputer’s analysis, upon executing the ransomware, it will encrypt the victim’s file and will give 3 hours to them to provide a valid Discord nitro. The malware appends the “.givemenitro” extension to the filenames of the encrypted files.

NitroRansomware image heimdal security

Image Source: BleepingComputer

At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.

NitroRansomware logo image heimdal security

Image Source: BleepingComputer

According to Lawrence, when a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL. If a valid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key.

However, since the decryption keys are static and are contained within the ransomware executable, a victim can decrypt the files without actually paying the Nitro gift code ransom. So, if you are targeted by this ransomware, you can share a link for the executable to extract a decryption key.

Unfortunately, NitroRansomware also performs other malicious activity on an infected device such as stealing Discord authentication tokens that are stored in the form of *.ldb files stored under “Local Storage\leveldb. Once stolen, the tokens are sent back to the ransomware operators over a Discord webhook.

NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel.

Researchers recommend users infected with this ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer.

In addition, users should check for new user accounts in Windows that they did not create and remove them if found.

cover photo for heimdal security news
2021.04.06 QUICK READ

CNA Financial Fell Victim to a ‘Sophisticated’ Ransomware Cybersecurity Attack

featured photo for heimdal news
2021.03.29 QUICK READ

New Ransomware Group Leaks Data Belonging to a Important US Military Contractor

2017.08.08 SLOW READ

A Closer Look at Ransomware Attacks: Why They Still Work

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP