back to article Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them

Cybercrooks have put together Hitler-themed ransomware that simply deletes files on encrypted PCs. The (apparently prototype) Windows malware displays a lock screen1 featuring the infamous Austrian dictator, together with a demand falsely stating that files have been encrypted. The ransomware says files can supposedly be …

  1. Anonymous Coward
    Anonymous Coward

    Since educating users, and backups seem to be off the table, the solution to ransomware seems to be versioning / logging file system, where nothing is ever deleted, and anything can be rolled back.

    1. lansalot

      That doesn't work well when the people this most typically affects (home users) are local admins on their own machine, and the first thing the malware does is turn of versioning and deleting any existing snapshots...

    2. Anonymous Coward
      Anonymous Coward

      Yep, such filesystems do exist, but they're CoWs of things for chewing up disk space if not managed.

      1. Pascal Monett Silver badge

        Re: chewing up disk space if not managed

        And we all know that home users do not manage.

  2. theModge

    Das ist ein Test

    Could be Germans, but I use that phrase as a test all the time simply because "Test 123" gets old very quickly - it's not exactly the hardest to guess phrase in the language. I'd always assumed I was spelling it wrong - I've never studied German.

    1. Anonymous Coward
      Anonymous Coward

      Re: Das ist ein Test

      don't know why you've been downvoted for an anecdote?

      1. BebopWeBop

        Re: Das ist ein Test

        Or you for mentioning it. (Soon to be down voted by relevant twat)

        1. jonathan1

          Re: Das ist ein Test

          Interesting. Test data does get boring. I changed my job title to 'Moose Thrower' on our CRM system once during some testing then forgot. Caused a few chuckles.

          Who is this phantom downvoter?

          1. Anonymous Coward
            Anonymous Coward

            Re: Das ist ein Test

            "Phantom Downvoter" is too cool a name for him or her. Just stick with "Relevant Twat" or just "Twat".

  3. Doctor Syntax Silver badge

    "“However the approach to delete all of the files upon reboot after initiating an OS crash leaves users few alternatives.”

    s/few/a few/

    1. Boot from any live Linux disk and rename the user's directory.

    2. Boot from any live Linux disk and back up the files.

    3. If the user reboots first and assuming the S/W didn't actually overwrite the files before deleting them boot from one of several available live recovery disks and recover the files. I've done that with better ransomware than this one.

    1. Baldy50

      That's what I was thinking but if the person infected with this nasty doesn't know how to even DL an ISO and burn it so as to boot from it to make a repair, they'll just re start the machine and lose all.

      Maybe it's time basic malware detection and removal was taught in schools and colleges along with other IT skills as a essential, necessary prerequisite to growing up in an seedy online world from as soon as they're able.

      With the clean up software easily available from say Bleeping computer and Windows BBS, lessons reading and understanding the virus and malware removal logs and trying the necessary software out that deals with these infections could create a far more robust user base.

      While we wait for the software companies and legal authorities to get their act together, so maybe by 2099 we'd be sorted.

      I know what your going to say and yes a lot of students would not have the mindset to do this sort of thing but possibly would spot an infection before too much harm was done and might know someone that could help them, perhaps a nerdy friend who was in the same class.

      Yes I still use trig so as I thought at the time along with a load of other stuff not useful to me, this would be used all the time I'm sure, spotting the signs is big chunk of the problem and where to go for the tools you'll need and how to sort it, might get a few more youngsters involved in IT.

  4. ma1010


    The lock screen features a misspelling “Ransonware”, further evidence that the malicious code was either hastily or sloppily put together.

    And the fact that they say "Your files was encrypted" could be further evidence of hasty/sloppy assembly, or the fact that the malware writers just don't speak no good English.

    1. Anonymous Coward
      Anonymous Coward

      Damn foreigners!

      The malware industry has been almost completely moved out of the US. I hope Trump brings back those jobs when he brings the jobs back from China!

  5. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward


      All your ransons r belong to us.

      Nice tip about the LiveCD, BTW.

  6. tiesx150


    I got a fishing email from 'Samtander' last week where the crooks couldn't even spell the bank correctly in the email subject.

    Surely if these people invest the time crafting these packages to socially engineer us folk then maybe they should use spelll check ?

    Yes that WAS a deliberate typo. )

    1. Anonymous Coward Silver badge

      Re: Spelling!

      Or they know that including the correct spelling of the bank is likely to trigger deeper phishing analysis.

      Plus they want to target the gullible so use mis-spellings as an early filter.

      Just because it looks like a mistake doesn't mean it actually is.

    2. Anonymous Coward
      Anonymous Coward

      Re: Spelling!

      Thanks to the rather high availability of malware toolkits on the "dark" interweb, the barrier to entry for illiterate script kiddies is now dismally low. Be prepared for more of this.

      There are ways to make it harder for ransomware to attack your PC (restricting access to .tmp and other files via GPOs for example). Bleeping Computer and other sites can provide guidance. Ad-blockers et al should be your friends. Despite the occasional inconvenience of such measures, I still sleep a little better at night.

      Sadly, the web world remains a bad place and is getting steadily worse. Having large swathes of the PC ecosystem populated by insecure browsers, OSes, Flash installs and the many other cr*p solutions the industry must still answer for is no help.

      So just stay patched up and keep educating your users about the dangers of random clickery. Good and regular backups on separate media are also useful.

      It is still very difficult to fix human ignorance, fallibility (and greed) by technical means.

      1. Stoneshop Silver badge

        Re: Spelling!

        It is still very difficult to fix human ignorance, fallibility (and greed) by technical means.

        Unless it inconveniences you, why would you?

      2. Commswonk

        Re: Spelling!

        It is still very difficult impossible to fix human ignorance, fallibility (and greed) by technical means.


  7. Soruk

    Honour System Malware

    Congratulations, you have just been infected by the Honour System Malware.

    Please send me a £10 O2 top-up voucher code within the next three hours, alternatively please format your hard drive.

    Thank you!


    1. Swarthy Silver badge

      Re: Honour System Malware

      Damn you! - Wait, is this a Linux, Mac, or Windows Malware? I need to know which format command to type in.

      The state of my HDD in about three hours.-->

  8. Stevie


    So, another Piranha Bros. attack in the wild.

    The other, other, other operation: They will beat you up whether or not you pay the money.

  9. Anonymous Coward
    Anonymous Coward

    You think its bad now..

    The latest variant of C-L (5.0) attacks the common BIOS's, network cards and even writes nasty code to the EDID chips on the LCD and external panel so you can't connect it to another setup without triggering the 4* BTC ransom demand.

    Essentially every part is locked to the machine, however just changing the hard drive and resetting the BIOS to default (cough crisis disk /cough) can get rid of it at the cost of not being able to see the LCD or network adaptor until the defective chips are rewritten.

    I'm pretty sure that this one was written with full knowledge of the specific machines (ie manufacturers handed over secret documents) which is even worse.

    It seems that the attack vector is to directly infect the vulnerable network adaptor and then download parts of itself into any writeable chip's slack space so it can reconstruct itself when damaged, the code also searches for a more recent BIOS update and edits it to add the malicious code, changes the checksum and rewrites on the next boot to get around protected mode.

    1. Anonymous Coward
      Anonymous Coward

      Re: You think its bad now..

      Jesus Christ!!

      1. Anonymous Coward
        Anonymous Coward

        Re: You think its bad now..

        Ironically this is why setting a complex password to access the BIOS is a good idea.

        If it needs this typed to flash the malware can only ever trash the HDD/screen and thats it.

        Also some router manufacturers added CAPTCHAs for this reason, good idea IMHO.

        I have the dead machine here, its a brick. HDD ruined, can't even use the memory. Bastards!

        Only good part was the CPU so unless they can read CPUID.. AUGH<NO CARRIER>

  10. allthecoolshortnamesweretaken

    "Nazi Script Kiddies Must Die" - Film at 11

  11. Anonymous Coward
    Anonymous Coward

    Mein Gott...

    ... it's like traversing a directory tree and removing file extensions in Nazi Germany!

    (with apologies to Rik and Eddie (Hitler))

    also 'Das Boot' up...

  12. Oengus

    Irish equivalent

    A mate of mine sent me this a while ago...

    This is the Irish equivalent.

  13. P. Lee

    Maybe this is a good thing

    If everyone hears ransomware never gives you your files back, they won't pay, and (hopefully) scammers move on to more lucrative things.

    /trying really hard to see silver lining

  14. David Roberts

    Still musing

    On how you get a cash card and type in the number in less than an hour.

    1. AndrueC Silver badge

      Re: Still musing

      If it involves trying to contact Vodafone you'll still be in the queue waiting to speak to someone.

  15. Big_Boomer


    "Rançon" is French for ransom so I suspect someone is either French/Francophone or else wants us to think so. Have now seen several instances of Ransom-ware and anyone who pays should be permanently denied all internet access privileges and only be allowed a phone if it involves yoghurt cups and string. Backup your data people!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022