The malware seems like nothing special at first, but further exploration shows it can wreak serious damage in follow-on attacks. The NitroRansomware malware strain is changing the ransomware norm by demanding Discord Nitro gift codes from victims instead of actual money. Discord is a VoIP, instant messaging and digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communities called “servers.”
While Discord is free, users can purchase an upgraded “Nitro” subscription for $9.99 that allows larger upload sizes, HD video streaming, better emoji options and the ability to “stand out” via promotions on servers. The NitroRansomware operators are apparently extremely interested in Nitro subscriptions. Initially spotted by MalwareHunterTeam, other researchers looked into how the code works. It’s being distributed as a purported free gift-code generator for Nitro.
“Upon executing the ransomware, it will encrypt the victim’s file and will give three hours to them to provide a valid Discord Nitro [code],” explained Heimdal Security researcher Cezarina Chirica, in a recent posting. “The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files. At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.”
According to researchers, the ransomware verifies that the provided Discord gift codes are valid, and decrypts the files using an embedded static decryption key. However, the three-hour limit appears to be a scareware tactic. If the timer ticks down to zero, no files are actually deleted. The analysis also pointed out that because the decryption keys are static, it’s possible to extract a decryption key from the executable itself, so there is no real need to pay the $9.99.
MalwareHunterTeam also noted that the malware steals Discord tokens from victims as well, which would allow attackers to hack Discord servers. The “NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel,” said Heimdal’s Chirica.
Chirica recommended that users infected with the ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer. And, also, users should check for new user accounts in Windows that they did not create and remove them if found.
Why gift codes? They can be resold, and also can be used for money laundering, researcher Kevin Beaumont pointed out. Stolen gift and loyalty codes and cards can be big business on the cyber-underground. In February 2021, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to investigators. These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart.
These were worth around $38,000, but they netted a bit less for the cybercriminals behind the cache. The starting bidding price of the stolen gift cards was $10,000, with a “buy now” price of $20,000. The gift cards were bought by another cybercriminal soon after the cards were posted for sale, according to the firm.
“Typically, compromised gift cards sell for 10 percent of the card value in the Dark Web; however, the 895,000 cards offered from the breach were priced at roughly 0.05 percent of the card value,” according to Gemini, in an early April report. This discrepancy likely means the gift cards were potentially carrying low balances, it added.
When it comes to monetization, cybercriminals basically have two options: Purchase actual goods and resell them or sell the cards to a third-party gift card marketplace as in the example above.
“In [one] scheme, cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool [a carding marketplace],” according to the report. “If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.”
With many organizations in sectors typically favored by ransomware operators (for example, healthcare, local government or education) vastly increasing their use of and reliance on remote IT services, victims may be more inclined to pay to restore services than under 'normal' conditions."
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949
https://threatpost.com/nitroransomware-discord-gift-codes/165488/
Comments