NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator
The New Ransomware Encrypts Victims’ Files and Then Demands A Discord Nitro Gift Code to Decrypt Them.
BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.
There’s a ransomware called “Nitro Ransomware”.
“There is no other way to open it unless you have the decryption key. You have under 3 hours to give us Discord nitro.”
It actually checks if you entered a valid gift code.
Has a Discord token stealer too…
😂
🤦♂️@demonslay335 pic.twitter.com/OayXQPcSEl— MalwareHunterTeam (@malwrhunterteam) April 17, 2021
Although Discord is a free VoIP, they offer a $9.99 per month Nitro subscription add-on that provides additional benefits, such as larger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server.
Image Source: BleepingComputer
Unlike other types of ransomware attacks which demand thousands, if not millions, of dollars, NitroRansomware deviates from the norm by demanding a $9.99 Nitro Gift code instead.
As per BleepingComputer’s analysis, upon executing the ransomware, it will encrypt the victim’s file and will give 3 hours to them to provide a valid Discord nitro. The malware appends the “.givemenitro” extension to the filenames of the encrypted files.
Image Source: BleepingComputer
At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.
Image Source: BleepingComputer
According to Lawrence, when a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL. If a valid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key.
However, since the decryption keys are static and are contained within the ransomware executable, a victim can decrypt the files without actually paying the Nitro gift code ransom. So, if you are targeted by this ransomware, you can share a link for the executable to extract a decryption key.
Unfortunately, NitroRansomware also performs other malicious activity on an infected device such as stealing Discord authentication tokens that are stored in the form of *.ldb files stored under “Local Storage\leveldb. Once stolen, the tokens are sent back to the ransomware operators over a Discord webhook.
NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel.
Researchers recommend users infected with this ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer.
In addition, users should check for new user accounts in Windows that they did not create and remove them if found.