The tech press is full of stories about “a new ransomware strain” called GermanWiper, that has hit German businesses hard in the last week.
GermanWiper, rather like a typical ransomware attack, arrives in your inbox in the form of an email. In this case samples have been seen purporting to be a job application from a person called Lena Kretschmer.
— CERT-Bund (@certbund) August 2, 2019
Sehr geehrte Damen und Herren,
mit großem Interesse bin ich im Internet auf Ihre ausgeschriebene Position aufmerksam geworden. Ich möchte mich gerne einer neuen beruflichen Herausforderung stellen. Mit mir gewinnt Ihr Unternehmen einen leistungsbereiten Mitarbeiter. Ich widme mich meinen neuen Aufgaben und Herausforderungen stets mit großer Motivation und vollem Einsatz. Einen Einstieg bei Ihnen zum nächstmöglichen Zeitpunkt steht nichts entgegen. Gerne gebe ich Ihnen einen weiteren Eindruck in einem persönlichen Gespräch. Ich freue mich über Ihre Einladung
Mit freundlichen Grüßen
Anlagen: Arbeitszeugnisse, Lebenslauf, Bewerbungsfoto
Attached to the email is a photograph (with the filename Lena_Kretschmer_Bewerbingsfoto.jpg), and a ZIP archive file (Unterlagen_Lena_Kretschmer.zip). Inside the ZIP file is a .LNK shortcut.
Clicking on the .LNK shortcut is, of course, a big mistake as your Windows computer will download a nasty malware infection from GermanWiper.
After it has done its dirty work, GermanWiper displays a ransom message requesting payment.
I did a reverse image search on the photograph attached to the email, and found this image by Berlin-based photographer Michel Buchmann, who – coincidentally – has a webpage describing how you should write a CV if you want to apply for a job in Germany.
It should go without saying that Michel and the model (whose real name apparently is Luisa) are not connected with the malware attack. Furthermore, the attack could easily be modified to use different wording, have a different applicant’s name, different filenames, even be written in a different language.
But there’s another important issue to consider with this malware attack. Because, many of the media reports are incorrect. GermanWiper is not ransomware. It’s worse than that.
GermanWiper is, as the name suggests, a type of malware known as a “wiper” – which overwrites data on your drives.
Compare that with ransomware, which encrypts your data. At least with ransomware you have the option – if you didn’t take the sensible precaution of making a secure backup before infection – of gambling that your malicious attackers might accept a ransom payment in exchange for a key to decrypt your precious data. With a wiper paying a ransom isn’t going to help you at all – the bad guys don’t have a copy of your data, they simply overwrote it with zeroes.
In other words, paying the attacker’s ransom demand is a waste of time (and money).
My advice? Make secure backups, folks.
Further reading: How to create a robust data backup plan (and make sure it works)
To learn more about backups, make sure that you listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.