GermanWiper Masquerades as Ransomware, Rewrites Files and Destroys Data

Since the end of July, GermanWiper malware has targeted users, particularly those in Germany. The malware is distributed via malicious emails that claim to be a job application from “Lena Kretschmer” with a résumé attached in a ZIP file. The ZIP file contains a LNK shortcut file that, when opened, installs GermanWiper. The malware masquerades as ransomware, appending new extensions to files and opening an HTML ransom note on the infected machine; however, it is actually wiper malware that rewrites local files with 0x00, permanently destroying the data. Though the ransom note claims to give the victim seven days to pay, paying the ransom in this case will not recover the user’s files and, therefore, victims are advised not to pay. Similar tactics are used in the US where threat actors often use ZIP files to deliver malware to end users as many email gateways are unable to properly scan the contents of these files for malware. The NJCCIC recommends users and administrators refrain from opening attachments or clicking links delivered with unsolicited or unexpected emails, and exercise extreme caution when receiving emails with ZIP file attachments, even those from known senders. Email security teams are encouraged to develop a process necessary to quarantine and analyze ZIP file attachments prior to their delivery to intended recipients. Users are advised against paying any ransom demand as paying does not guarantee file restoration and perpetuates the crime. For additional details on GermanWiper, please review the ZDNet article.