fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Discord Nitro Gift Codes Now Demanded As Ransomware Payments

Discord Nitro Gift Codes Now Demanded As Ransomware Payments

In a novel approach to ransom demands, a new ransomware calling itself ‘NitroRansomware’ encrypts victim’s files and then demands a Discord Nitro gift code to decrypt files.

While Discord is free, they offer a Nitro subscription add-on for $9.99 per month that provides additional perks, such as larger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server, so its users enjoy extra functionality as well.

When purchasing a Nitro subscription, users can apply it to their own account or buy it as a gift for another person. When gifting, the purchaser will be given an URL in the format https://discord.gift/[code], which can then be given to another Discord user.

Gifting a Nitro subscription
Gifting a Nitro subscription

Not your typical ransom demand

While most ransomware operations demand thousands, if not millions, of dollars in cryptocurrency, Nitro Ransomware deviates from the norm by demanding a $9.99 Nitro Gift code instead.

Based on filenames for NitroRansomware samples shared by MalwareHunterteam and analyzed by BleepingComputer, this new ransomware appears to be distributed as a fake tool stating it can generate free Nitro gift codes.

When executed, the ransomware will encrypt a person’s files and append the .givemenitro extension to encrypted files, as shown below.

Files encrypted by the NitroRansomware
Files encrypted by the NitroRansomware

Also Read: The DNC Registry Singapore: 5 Things You Must Know

When finished, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo, as shown below.

Wallpaper changed to angry Discord logo
Wallpaper changed to angry Discord logo

A ransomware screen will then be displayed demanding a free Nitro gift code within three hours, or ransomware will delete the victim’s encrypted files. This timer appears to be an idle threat as the ransomware samples seen by BleepingComputer do not delete any files when the timer reaches zero.

NitroRansomware screen
NitroRansomware screen

When a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL, as shown below. If a valid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key.

Checking if a Discord Nitro gift code is valid
Checking if a Discord Nitro gift code is valid

As the decryption keys are static and are contained within the ransomware executable, it is possible to decrypt the files without actually paying the Nitro gift code ransom.

Therefore, if you fall victim to this ransomware, you can share a link for the executable to extract a decryption key.

Unfortunately, in addition to encrypting your files, the Nitro Ransomware will also perform other malicious activity on a victim’s computer.

Stealing tokens and executing commands

It would not be Discord-related malware if the threat actors didn’t try to steal a victim’s Discord tokens.

Discord tokens are authentication keys tied to a particular user, that when stolen, allow a threat actor to log in as the associated user.https://www.ad-sandbox.com/static/html/sandbox.html

When NitroRansomware starts, it will search for a victim’s Discord installation path and then extract user tokens from the *.ldb files located under “Local Storage\leveldb.” These tokens are then sent back to the threat actor over a Discord webhook.

Stealing Discord user tokens
Stealing Discord user tokens

As part of this process, the malware will also attempt to steal data from Google Chrome, Brave Browser, and Yandex Browser.

NitroRansomware also includes functionality to execute commands and have the output sent through the webhook to the attacker’s Discord channel. This is currently only used to get the computer’s UUID using the ‘wmic csproduct get uuid’ command.

Also Read: How To Comply With PDPA: A Checklist For Businesses

Acting as a backdoor to execute remote commands
Acting as a backdoor to execute remote commands

The good news is that this ransomware does not do a good job hiding its decryption key, and users can recover their files for free.

However, the bad news is that the threat actor will likely have already stolen a user’s Discord token.

Due to this, users infected with this ransomware should immediately change their Discord password in case their account has been compromised.

Update 4/19/21: Added that the malware also steals information from browsers.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us