A number of German companies received a phishing email containing a new type of malware link. The malware called GermanWiper is a data-clearing software that is disguised as ransomware. The target is mostly located in Germany.
— CERT-Bund (@certbund) August 2, 2019
It is understood that the hacker will first issue an email disguised as a cover letter and attach a file containing two copies of the spoofed PDF. These PDF files are actually a shortcut to execute PowerShell commands. After the command is executed, the device will automatically download and run the HTA file and download the GermanWiper when running the HTA file.
According to expert analysis, GermanWiper will first terminate the process related to the database and other software in order to access the file. Next, it scans the system to find out which files to destroy and then overwrites them to achieve the cleanup effect. Experts said that the virus will skip some specific files to ensure that the victim can start the Windows operating system and browse the web.
To make it look like an encryption process, each file’s name is followed by a random 5-character extension, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc… After deleting the file, GermanWiper will also delete the shadow volume copies and prevent Windows from automatically restarting to prevent the computer from being repaired. It is reported that after destroying the computer and deleting the file, GermanWiper will leave the next note on the desktop indicating that all the files have been encrypted and instruct the victim to pay $1,600 worth of bitcoin to unlock the file. But experts say that because the malware has destroyed the file, even if the victim pays the ransom, it can’t be retrieved.