The Nitro Ransomware malware strain is changing the ransomware norm by demanding Discord Nitro gift codes from victims instead of actual money.
The malware seems like a silly coding joke at 1st, but further exploration shows it can wreak serious damage in follow-on attacks.
Discord is a VoIP, instant messaging & digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media & files in private chats or as part of communities called “servers.”
Free Gift-Code
The Nitro Ransomware operators are seemingly extremely interested in Nitro subscriptions. Initially spotted by Malware Hunter Team, other researchers looked into how the code works. It is being distributed as a supposedly free gift-code generator for Nitro.
“Upon executing the ransomware, it will encrypt the victim’s file & will give 3 hours to them to provide a valid Discord Nitro code,” explained Heimdal Security researcher Cezarina Chirica, in a Mon. posting. “The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files.
At the end of an encryption process, Nitro Ransomware will change the user’s wallpaper to an evil or angry Discord logo.”
Static Decryption Key
Says an analysis by Bleeping Computer, the ransomware verifies that the provided Discord gift codes are valid, & decrypts the files using an embedded static decryption key. However, the 3-hour limit seems to be a scareware tactic. If the timer ticks down to zero, no files are actually deleted.
The outlet’s analysis also pointed out that because the decryption keys are static, it’s possible to extract a decryption key from the executable itself, so there’s no real need to pay the $9.99.
Follow-On Attacks
Malware Hunter Team also noted that the malware steals Discord tokens from victims as well, which would allow attackers to hack Discord servers.
There’s a ransomware called “Nitro Ransomware”.
“There is no other way to open it unless you have the decryption key. You have under 3 hours to give us Discord nitro.”
It actually checks if you entered a valid gift code.
Has a Discord token stealer too…
😂
🤦♂️@demonslay335 pic.twitter.com/OayXQPcSEl
— MalwareHunterTeam (@malwrhunterteam) April 17, 2021
Backdoor Capabilities
Also, “Nitro Ransomware also implements backdoor capabilities, allowing the hackers to remotely execute commands & then have the output sent through their webhook to the attacker’s Discord channel,” commented Heimdal’s Chirica.
Chirica recommended that users infected with the ransomware immediately change their Discord password & perform an antivirus scan to detect other malicious programs added to the computer. Also, users should check for new user accounts in Windows that they did not create & remove them if found.
Gift Cards: A Cyber-Crime Bonanza
Why gift codes? They can be resold, & also can be used for money laundering; researcher Kevin Beaumont explained.
Obviously, this one is a bit dumb, but BEC realized some time ago iTunes gift cards & such are good for money laundering – 1st get the victim to buy multiple gift cards, then criminal infrastructure exists for reselling gift cards, laundering to fake e-books, apps etc.
Stolen gift & loyalty codes & cards can be big business on the cyber-underground. In Feb. for instance, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to Gemini Advisors. These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target & Walmart.
10% of the Card Value
These were worth around $38k, Gemini noted – but they netted a bit less for the cyber-criminals behind the cache. The starting bidding price of the stolen gift cards was $10k, with a “buy now” price of $20k. The gift cards were bought by another cyber-criminal soon after the cards were posted for sale, according to the firm.
“Typically, compromised gift cards sell for 10% of the card value in the Dark Web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value,” according to Gemini, in an early April report. This discrepancy likely means the gift cards were potentially carrying low balances, it added.
Cardpool
When it comes to monetisation, cyber-criminals basically have 2 options, according to Gemini: Purchase actual goods & resell them; or sell the cards to a 3rd-party gift card marketplace as in the example above.
“In 1 scheme, cyber-criminals would use stolen payment cards to purchase gift cards & then sell the gift cards to Cardpool [a carding marketplace],” according to the report. “If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card & request they void the gift card.
Cumbersome
Unfortunately, this process can prove cumbersome & time-consuming, making it a rare occurrence & granting cyber-criminals a wider time window to pull off their scheme.”
