GermanWiper ransomware hits Germany, destroys files then asks for ransom

For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn’t encrypt files but instead it rewrites their content with zeroes, permanently destroying users’ data.

As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good.

For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily. First signs of GermanWiper were reported earlier this week when victims started asking for help on the Bleeping Computer forums, a popular place where internet users congregate to get advice in dealing with ransomware infections. The first report came on Tuesday, July 30, and they kept piling on through the following days. The GermanWiper ransomware is currently being distributed via malicious email spam (malspam)

These emails claim to be job applications from a person named “Lena Kretschmer.” A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware.

When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.


These types of undefendable attacks underline the genuine need for phishing and security awareness training. You’ll be amazed at how affordable it is.

The full story is at ZDNET:

Recent posts