The malware seems like a silly coding lark at first, but further exploration shows it can wreak serious damage in follow-on attacks.
The NitroRansomware malware strain is shaking up the ransomware norm by demanding Discord Nitro gift codes from victims instead of actual money.
Discord is a VoIP, instant messaging and digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communities called “servers.”
Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.
While it’s free, users can purchase an upgraded “Nitro” subscription for $9.99 that allows larger upload sizes, HD video streaming, better emoji options and the ability to “stand out” via promotions on servers.
The NitroRansomware operators are apparently extremely interested in Nitro subscriptions. Initially spotted by MalwareHunterTeam, other researchers looked into how the code works. It’s being distributed as a purported free gift-code generator for Nitro.
“Upon executing the ransomware, it will encrypt the victim’s file and will give three hours to them to provide a valid Discord Nitro [code],” explained Heimdal Security researcher Cezarina Chirica, in a Monday posting. “The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files. At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.”
According to an analysis by Bleeping Computer, the ransomware verifies that the provided Discord gift codes are valid, and decrypts the files using an embedded static decryption key. However, the three-hour limit appears to be a scareware tactic. If the timer ticks down to zero, no files are actually deleted.
The outlet’s analysis also pointed out that because the decryption keys are static, it’s possible to extract a decryption key from the executable itself, so there’s no real need to pay the $9.99.
Follow-On Attacks Possible
MalwareHunterTeam also noted that the malware steals Discord tokens from victims as well, which would allow attackers to hack Discord servers.
There’s a ransomware called “Nitro Ransomware”.”There is no other way to open it unless you have the decryption key. You have under 3 hours to give us Discord nitro.”It actually checks if you entered a valid gift code.Has a Discord token stealer too…😂🤦♂️@demonslay335 pic.twitter.com/OayXQPcSEl
— MalwareHunterTeam (@malwrhunterteam) April 17, 2021
And, “NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel,” said Heimdal’s Chirica.
Chirica recommended that users infected with the ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer. And, also, users should check for new user accounts in Windows that they did not create and remove them if found.
Gift Cards: A Cybercrime Goldmine
Why gift codes? They can be resold, and also can be used for money laundering, researcher Kevin Beaumont pointed out.
Obviously this one is a bit dumb, but BEC realised a while ago iTunes gift cards and such are great for money laundering – get victim to buy multiple gift cards, then criminal infrastructure exists for reselling gift cards, laundering to fake ebooks, apps etc.
— Kevin Beaumont (@GossiTheDog) April 18, 2021
Stolen gift and loyalty codes and cards can be big business on the cyber-underground. In February for instance, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to Gemini Advisors. These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart.
These were worth around $38,000, Gemini noted – but they netted a bit less for the cybercriminals behind the cache. The starting bidding price of the stolen gift cards was $10,000, with a “buy now” price of $20,000. The gift cards were bought by another cybercriminal soon after the cards were posted for sale, according to the firm.
“Typically, compromised gift cards sell for 10 percent of the card value in the Dark Web; however, the 895,000 cards offered from the breach were priced at roughly 0.05 percent of the card value,” according to Gemini, in an early April report. This discrepancy likely means the gift cards were potentially carrying low balances, it added.
When it comes to monetization, cybercriminals basically have two options, according to Gemini: Purchase actual goods and resell them; or, sell the cards to a third-party gift card marketplace as in the example above.
“In [one] scheme, cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool [a carding marketplace],” according to the report. “If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.