A new ransomware threat has surfaced online that has a unique ransom demand. Identified as NitroRansomware, the malware gang demands Discord Nitro gift codes as ransom for the victim data being unlocked.
NitroRansomware Asks For Discord Nitro Gift Codes
Researchers have found new ransomware in the wild that is obsessed with Discord Nitro. Dubbed as NitroRansomware, the malware encrypts a victim’s data only to release it after getting Discord Nitro gift codes.
Nitro is a subscription-based add-on to Discord offering additional features such as HD streaming, emojis, and bigger uploads, and more for $9.99/month.
The ransomware first caught the attention of the MalwareHunterTeam, following which, Bleeping Computer shared a detailed analysis of it.
There's a ransomware called "Nitro Ransomware".
"There is no other way to open it unless you have the decryption key. You have under 3 hours to give us Discord nitro."
It actually checks if you entered a valid gift code.
Has a Discord token stealer too…
— MalwareHunterTeam (@malwrhunterteam) April 17, 2021
As it turns out, the ransomware targets a victim by impersonating itself as a tool generating free Nitro gift codes. Surely, an average user, like a Discord Nitro user, would fall for it.
Upon reaching the target system, the malware starts encrypting the data and appends a “.givemenitro” extension to the file names. After completing the encryption process. The malware changes the victim’s desktop to an evil Discord logo.
Whereas, a ransomware screen also appears that serves as the ransom note. It demands the victim to pay the ransom as Nitro gift codes. Alongside this peculiar demand, the threat actors also give a very short deadline of three hours to fulfill their demand. Whereas, they threaten the victim to delete all of the data in the case of failure of ransom payment.
Though, Bleeping Computer observed that this threat is merely a bluff and that nothing happens even after the 30hour deadline gets over.
Once a victim pays the ransom, the attackers would check the gift code validity via Discord API URL. If verified, the threat actors then decrypt the data.
Static Decryptor Present Within The Ransomware
The researchers found that the decryptor is actually a static key embedded within the ransomware code. Thus, victims may not really have to pay the ransom if they can figure it out.
However, they would still suffer some damage due to this attack. NitroRansomware bears an additional backdoor functionality as well. Plus, it can also execute commands on the target system.
Whereas, the main problem for a victim is that the ransomware also steals Discord tokens. This allows the attacker to log in as the victim user. As Bleeping Computer explained,
When NitroRansomware starts, it will search for a victim’s Discord installation path and then extract user tokens from the *.ldb files located under “Local Storage\leveldb.” These tokens are then sent back to the threat actor over a Discord webhook.
Therefore, the victims of this ransomware must ensure changing their Discord passwords to avoid losing their accounts.
Besides, ransomware also steals data from web browsers. So, the victims may also have to review and change the passwords of all accounts that they saved within their browsers.
Let us know your thoughts in the comments