FANDOM


GermanWiper is a ransomware that targets german victims. GermanWiper has some similarities with a recent Sodinokibi ransomware campaign that pushed malicious emails impersonating BSI, the German national cybersecurity authority.

Behavior

GermanWiper behaves like a wiper than it does as a ransomware.

Payload

Transmission

GermanWiper is being distributed in Germany through a spam campaign that pretends to be a job applicant named Lena Kretschmer who is submitting their resume.

The emails being sent have the subject "Ihr Stellenangebot - Bewerbung [Your job offer - Application] - Lena Kretschmer" and contain an attachment titled "Unterlagen_Lena_Kretschmer.zip" posing as a document archive.

The attachment contains two files that pretend to be PDF resumes for the sender. Security researcher James found that these PDFs are actually shortcuts (LNK) that execute a PowerShell command to download an HTA file from the expandingdelegation[.]top site and launch it on the local machine.

When the HTA file is executed, it will download the ransomware executable and save it to the C:\Users\Public folder and as an executable with a three letter file name. The wiper is then launched.

Infection

When GermanWiper is first executed, it terminates processes associated with database and other software so that the files can be accessed and wiping becomes possible. The list of terminated processes are below:

notepad.exe
dbeng50.exe
sqbcoreservice.exe
encsvc.exe
mydesktopservice.exe
isqlplussvc.exe
agntsvc.exe
sql.exe
sqld.exe
mysql.exe
mysqld.exe
oracle.exe

It then scans the system for files to destroy. When wiping files, it skips files that have certain names, extensions, or are located in particular folders. A list of folders spared by the wiping process is available below:

windows
recycle.bin
mozilla
google
boot
application data
appdata
program files
program files (x86)
programme
programme (x86)
programdata
perflogs
intel
msocache
system volume information

The reason for skipping them is because they are essential for Windows booting properly and for browsing the web.

Destroying the data is done by overwriting its content with zeroes. To make it look like an encryption process occurred, each file is appended to its name a random 5 character extension, such as .08kJA, .AVco3, or .Fi2Ed.

After completing the deletion process, GermanWiper also removes the shadow volume copies and disables Windows automatic startup repair by launching the following commands:

cmd.exe /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} 
recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The ransomware also creates a ransom note named Fi2Ed_Entschluesselungs_Anleitung.html that is automatically opened at the end of the wiping procedure. Here, victims find instructions to pay 0.15038835 bitcoins, or approximately $1,600, to the listed bitcoin address.

The ransom note reads:

Alle Ihre Dateien wurden verschluesselt!

Was ist passiert?

Alle Ihre Dateien wurden verschluesselt und sind fuer Sie nicht mehr zugaenglich bis 
wir diese wieder entschluesseln. Alle verschluesselten Dateien wurden mit der 
Dateiendung .phnB2 versehen.

Bitte folgen Sie unseren Anweisungen, wenn Sie Ihre Dateien zeitnah wieder 
entschluesseln wollen! Es besteht keine andere Moeglichkeit Ihre Daten wieder zu 
entschluesseln ausser unseren Anweisungen zu folgen!

Ich moechte meine Dateien entschluesseln!

Kein Problem! Um Ihre Dateien zu entschluesseln, benoetigen Sie unsere 
Entschluesselungssoftware, diese steht zum Kauf fuer umgerechnet ca. $1,500 bereit. 
Der Betrag ist ausschliesslich in Bitcoin an die untenstehende Adresse zu zahlen.

Welche Garantien habe ich?

Uns interessiert nicht wer Sie sind oder was fuer Dateien Sie auf Ihrem Computer 
haben, wir sind ausschliesslich daran interessiert Ihnen die Entschluesselungssoftware 
zu verkaufen. Schlechtes Business spricht sich herum, sollten wir Ihre Dateien nicht 
entschluesseln, wuerde in Zukunft niemand unsere Entschluesselungssoftware kaufen - 
Was nicht in unserem Interesse liegt.

Wo bekomme ich Bitcoins?

Bitcoin koennen Sie schnell und einfach kaufen, z.B mit Kreditkarte, GiroPay oder 
(SOFORT) Ueberweisung. Es folgt eine Auflistung populaerer Tauschboersen und 
Bitcoin Marktplaetzen:
Coinmama - hxxps://coinmama.com/
Bitpanda - hxxps://www.bitpanda.com/
AnyCoinDirect - hxxps://anycoindirect.eu/
Bitcoin.de - hxxps://www.bitcoin.de/
BTC Direct - hxxps://btcdirect.eu/de-at

Es gibt noch weitere moeglichkeiten Bitcoin zu erwerben, sollte keine der gelisteten 
fuer Sie funktionieren, hilft Ihnen eine kurze Google Suche.

Ich habe die Bitcoins gekauft

Senden Sie den folgenden Betrag an die fuer Sie generierte Bitcoin Adresse:

Betrag
0.15038835 Bitcoin

Bitcoin Adresse
17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF

Ich habe bezahlt - Was jetzt?

Nachdem die Zahlung auf der angegebenen Wallet eingegangen ist und diese 1 
Bestaetigung im Bitcoin Netzwerk erhalten hat (30-60 Minuten) aktualisiert sich diese 
Seite automatisch mit dem Download Link fuer die Entschluesselungssoftware.

Bitte folgen Sie den Anweisungen in der Entschluesselungssoftware um sicherzustellen, 
dass alle Ihre Dateien korrekt entschluesselt werden.

Bitte beachten Sie, dass die Entschluesselungssoftware nur speziell fuer Ihren PC und 
die Dateiendung .phnB2 funktioniert, es ist also sinnlos nach der 
Entschluesselungssoftware von anderen zu suchen.

Weitere Informationen

Bitte beachten Sie, dass wir Ihnen eine Frist von 7 Tagen setzen, diese laueft ab am: 
09/08/2019.

Sollten wir bis dahin keinen Zahlungseingang feststellen, gehen wir davon aus, dass 
Sie nicht an der Entschluesselung Ihrer Daten interessiert sind und Loeschen den 
Private-Key fuer Ihren Computer unwiderruflich, in diesem Falle gehen Ihre Daten fuer 
immer verloren.

Beachten Sie, dass nur wir in der Lage sind Ihre Dateien wiederherzustellen, 
versuchen Sie nicht Ihre Dateien selber zu entschluesseln / wiederherzustellen, im 
besten Falle verschwenden Sie nur Ihre Zeit, im schlimmsten Falle beschaedigen Sie 
die verschluesselten Dateien und wir koennen Ihnen beim entschluesseln nicht mehr 
helfen!

Which translates to:

All your files have been encrypted!

What happened?

All your files have been encrypted and are no longer accessible to you until we 
decode them again. All encrypted files were given the file extension .phnB2.

Please follow our instructions if you want to decode your files in a timely manner! 
There is no other way to decode your data except following our instructions!

I would like to decrypt my files!

No problem! To decrypt your files, you need our decryption software, which is available 
for purchase for the equivalent of $ 1,500. 
The amount is payable exclusively in Bitcoin to the address below.

What guarantees do I have?

We are not interested in who you are or what files you have on your computer, we are 
only interested in selling you the decryption software. Bad business gets around, if we 
do not decode your files, nobody would buy our decryption software in the future - 
which is not in our interest.

Where can I get bitcoins?

You can buy Bitcoin quickly and easily, eg with credit card, GiroPay or (IMMEDIATE) 
transfer. Here is a list of popular barter and Bitcoin marketplaces: 
Coinmama - hxxps: //coinmama.com/ 
Bitpanda - hxxps: //www.bitpanda.com/ 
AnyCoinDirect - hxxps: //anycoindirect.eu/ 
Bitcoin.de - hxxps: // www.bitcoin.de/ 
BTC Direct - hxxps: //btcdirect.eu/de-at

There are other ways to buy Bitcoin, if none of the listed ones work for you, a short 
Google search will help you.

I bought the bitcoins

Send the following amount to the bitcoin address generated for you:

Amount 
0.15038835 Bitcoin

Bitcoin Address 
17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF

I have paid - what now?

After the payment has been received on the specified wallet and has received 1 
confirmation in the Bitcoin network (30-60 minutes), this page automatically updates 
itself with the download link for the decryption software.

Please follow the instructions in the decryption software to make sure that all your files 
are decrypted correctly.

Please note that the decryption software works only for your PC and the file extension 
.phnB2, so it makes no sense to look for the decryption software of others.

additional Information

Please note that we set a period of 7 days, this will take place on: 09/08/2019.

If we do not find any payment until then, we assume that you are not interested in the 
decryption of your data and delete the private key for your computer irrevocably, in 
which case your data is lost forever.

Note that only we are able to recover your files, do not try to decrypt / restore your 
own files, in the best case you only waste your time, in the worst case you will 
damage the encrypted files and we will no longer be able to decrypt them help!

The information is also given to victims through a desktop wallpaper that the malware enables on infected machines. The wallpaper translates to:

======== YOUR FILES WERE CLOSED ======== 
OPEN phnB2_encrypt_manual.html TO FIND OUT HOW TO RETRIEVE YOUR FILES!

The wiper executable contains 36 base64-encoded bitcoin addresses. The malware selects one at random for each victim. While the ransom note suggests that the bitcoin addresses are unique per victim as seen by the translated text "Send the following amount to the Bitcoin address generated for you", the wiper just chooses any of these hardcoded addresses.

The ransom note for this wiper includes a bit of JavaScript at the bottom that is executed every time the user opens the note. This script connects to the wiper's C2 server and sends the bitcoin address associated with the victim and other information. As the ransom note is automatically opened by the wiper at the end of execution, the attacker uses this script to track the amount of victims.

Community content is available under CC-BY-SA unless otherwise noted.