Hitler-Ransomware, or Hitler-Ransonware as it is displayed on its lock screen, targets Windows OS and its method of distribution is currently unknown. Rather than appending extensions to names of encrypted files, Hitler-Ransomware removes all extensions for files located in specific folders. It extracts the following files into the infected system’s %Temp% folder: chrst.exe, ErOne.vbs, and firefox32.exe, which is also copied into the startup folder to be automatically launched upon system reboot. It also kills the following processes: taskmgr, utilman, sethc, and cmd. Hitler-Ransomware will cause the infected system to crash and will also delete all files under the %UserProfile% folder when the system restarts if the ransom demand is not met within an hour. Hitler-Ransomware demands a ransom amount of 25 Euros payable via a Vodafone card code.

  • Bleeping Computer provides more information about Hitler-Ransomware here.
  • The NJCCIC is not currently aware of any decryption tools available for Hitler-Ransomware.

One example of the Hitler-Ransomware variant. Image Source: Bleeping Computer