A security analyst discovered an unfinished version of a new strain of ransomware. The malware, dubbed Hitler-Ransomware – or actually “Hitler-Ransonware” – appears to be under development.
The malware does not encrypt any files and is likely a test variant, according to BleepingComputer's founder, Lawrence Abrams. In a blog post, Abrams noted that the batch file removes all extensions for files under common computer folders, including Pictures, Documents, Downloads, Music, Videos, Contacts, Links, Desktop, Sample Pictures, Sample Music, and Sample Videos.
“While the ransomware is running it will constantly look for any processes that have the names taskmgr, utilman, sethc, or cmd,” Abrams wrote. “If one of these processes is detected, it will terminate them.”
The ransomware lock screen displays a photo of Adolph Hitler gesturing the Nazi salute and accompanied by the message “Your Files was encrypted!” AVG malware analyst Jakub Kroustek announced his discovery with a tweet mocking the developer's grammar: *sigh* #Hitler #Ransomware. #GrammarNazi.
Plixer director of IT and Services Thomas Pore said in email correspondence with SCMagazine.com that the string of German text in the batch file as well as other indicators suggested that “we will likely see a more mature version popping up shortly.”