Some ransomware demands tens of millions of dollars from its victims. This will be satisfied with a gift code worth $ 9.99. The Bleeping Computer analyzed the strange “NitroRansomware”, which takes its name from Discord Nitro, the premium version of the chat app.
For $ 9.99 per month, Nitro subscribers offer themselves some technical advantages (streamer with better image quality, publish heavier files, “boost” your server, etc.), but also aesthetic (emojis, personalization of the profile…). In other words, Nitro is not necessary to take full advantage of Discord, but it does provide access to convenience options. The platform offers to subscribe to the month or the year, but also to buy a subscription to offer it to another user. Once payment has been made, the buyer will get a URL in the form of https://discord.gift/ followed by a unique code that they can send to a friend.
Although optional, Nitro attracts lust. In particular, there is a myth around “Nitro generators”, scripts that would be able to create gift codes to activate the subscription. Thieves know that this kind of fraudulent tool is sought after on poorly regulated forums or discussion channels. They therefore take the opportunity to hide malware (including NitroRansomware) in the guise of a generator. It is a perfect cover, since the illegal side of the supposed generator justifies that it is necessary to deactivate the protections of the computer, and thus to make it vulnerable to malware.
The Discord user will download the file and then run it on their PC, but they will never get the hoped-for codes.
The NitroRansomware will deploy to the computer and encrypt the files it finds there. Concretely, the encryption prevents reading the contents of the documents, and the software of the device will stop functioning. To impress the victim, this ransomware will also change the computer’s wallpaper with a modified Discord logo with devil horns, notes the Bleeping Computer.
The only way – in theory – to reverse this encryption is to get the decryption key from the thieves. Usually, thugs drop a succinct ransom note on infected devices, in the form of a virtual post-it. The developers of NitroRansomware, for their part, preferred to create a ransom screen of their own, which will be displayed in full screen. At the top of the screen, a message “Oh no, your files have been encrypted”. On the left, the thugs display a three-hour stopwatch, at the end of which the victim must pay, or “his files will disappear forever”. On the right, they explain the principle of the operation: the victim must enter a Nitro code in the bar provided for this purpose to obtain the decryption tool.
More than just ransomware
The Bleeping Computer notes that since the decryption key is contained in the file downloaded by the victim, there is no need to pay the ransom: competent people will be able to extract the decryption key from the file, and to save themselves. use it to negate the damage. And that’s not all: the 3 hour stopwatch is just a subterfuge to rush the decision of the victims, it will not delete the contents of the computer.
Despite these manufacturing flaws, this malware is dangerous because it turns out to be more than ransomware. It is also a “grabber”, able to steal authentication tokens from Discord. These tokens will allow criminals to connect to the account without even having obtained the credentials of his victim. NitroRansomware victims will therefore have to change their password (which will modify the tokens), but also scan their computer for other possible malware.
CyberGhost, Cyberwarre’s exclusive advertiser, is a premium VPN provider at affordable prices. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. CyberGhost does not keep any record of user activity. Its VPN application is available on all operating systems and connected devices and is the easiest to access on the market. Learn more about CyberGhost’s VPN solution