A new ransomware threat has emerged online, with a one-of-a-kind ransom demand. Read on to know more about it…
Researchers have discovered new ransomware that is obsessed with Discord Nitro in the wild. The malware, dubbed NitroRansomware, encrypts a victim’s data and only unlocks it after receiving Discord Nitro gift codes. In simple words, the malware demands Discord Nitro gift codes as ransom in exchange for the victim’s data being activated.
Discord is a community-building tool that combines VoIP, instant messaging, and digital distribution. In private chats or as part of communities called “servers,” users connect through voice calls, video calls, text messages, media, and files. Users can upgrade to a $9.99 “Nitro” subscription, which allows for larger upload sizes, HD video streaming, better emoji options, and the ability to “stand out” with server promotions.
Nitro subscriptions seem to be of great concern to the operators of the NitroRansomware ransomware. Other researchers looked at how the code operates after MalwareHunterTeam discovered it. It’s being circulated around as a free gift code generator for Nitro.
Working Mechanism
The ransomware, it turns out, targets a victim by posing as a tool that generates free Nitro gift codes. A typical consumer, such as a Discord Nitro user, will undoubtedly fall for it.
A ransomware screen appears as well, which acts as the ransom note. It demands that the ransom be paid in Nitro gift codes. In addition to this unusual requirement, the threat actors have set a three-hour deadline for completing it. In the event that the ransom is not paid, they threaten to delete all of the victim’s records. However, according to Bleeping Computer, this threat is merely a bluff, and nothing happens even after the 30-hour deadline has passed.
When a victim pays the ransom, the attackers use the Discord API URL to verify the gift code’s validity. The threat actors then decrypt the data if it has been checked.
Heimdal, Security Researcher at Cezarina Chirica, in a Monday posting explained “Upon executing the ransomware, it will encrypt the victim’s file and will give three hours to them to provide a valid Discord Nitro [code],”
“The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files. At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.”
Built-in Static Decryptor & Additional Functions
The decryptor is simply a static key embedded within the ransomware code, according to the researchers. As a result, victims will not be required to pay the ransom if they are able to find it out.
They would, however, take some damage as a result of this attack. NitroRansomware also includes a backdoor feature. It also has the ability to run commands on the target machine.
The key issue for a survivor, on the other hand, is that the ransomware also steals the Discord tokens. This gives the hacker the same access as that of victim’s account.
As Bleeping Computer explained, “When NitroRansomware starts, it will search for a victim’s Discord installation path and then extract user tokens from the *.ldb files located under “Local Storage\leveldb.” These tokens are then sent back to the threat actor over a Discord webhook.”
Hence, victims of this ransomware must ensure that their Discord passwords are changed in order to prevent losing their accounts.
Ransomware also extracts information from web browsers. Therefore, the victims could need to check and update the passwords for all of the accounts they’ve saved in their browsers.
Mitigation
According to Chirica, users infected with the ransomware should change their Discord password right away and run an antivirus scan to see whether there are any other malicious programs on their device. Users can also search for new user accounts in Windows that they did not build and delete them if they are discovered.