The tech press is full of stories about “a new ransomware strain” called GermanWiper, that has hit German businesses hard in the last week.
GermanWiper, rather like a typical ransomware attack, arrives in your inbox in the form of an email. In this case samples have been seen purporting to be a job application from a person called Lena Kretschmer.
⚠️ Angreifer versenden aktuell gefälschte Bewerbungen im Namen von "Lena Kretschmer" zur Verbreitung der #Ransomware #GermanWiper. Nicht die Anhänge der Mail öffnen! ⚠️ pic.twitter.com/rpDBReqQYX
— CERT-Bund (@certbund) August 2, 2019
Sehr geehrte Damen und Herren,
mit großem Interesse bin ich im Internet auf Ihre ausgeschriebene Position aufmerksam geworden. Ich möchte mich gerne einer neuen beruflichen Herausforderung stellen. Mit mir gewinnt Ihr Unternehmen einen leistungsbereiten Mitarbeiter. Ich widme mich meinen neuen Aufgaben und Herausforderungen stets mit großer Motivation und vollem Einsatz. Einen Einstieg bei Ihnen zum nächstmöglichen Zeitpunkt steht nichts entgegen. Gerne gebe ich Ihnen einen weiteren Eindruck in einem persönlichen Gespräch. Ich freue mich über Ihre Einladung
Mit freundlichen Grüßen
Anlagen: Arbeitszeugnisse, Lebenslauf, Bewerbungsfoto
Attached to the email is a photograph (with the filename Lena_Kretschmer_Bewerbingsfoto.jpg), and a ZIP archive file (Unterlagen_Lena_Kretschmer.zip). Inside the ZIP file is a .LNK shortcut.
Clicking on the .LNK shortcut is, of course, a big mistake as your Windows computer will download a nasty malware infection from GermanWiper.
After it has done its dirty work, GermanWiper displays a ransom message requesting payment.
I did a reverse image search on the photograph attached to the email, and found this image by Berlin-based photographer Michel Buchmann, who – coincidentally – has a webpage describing how you should write a CV if you want to apply for a job in Germany.
It should go without saying that Michel and the model (whose real name apparently is Luisa) are not connected with the malware attack. Furthermore, the attack could easily be modified to use different wording, have a different applicant’s name, different filenames, even be written in a different language.
But there’s another important issue to consider with this malware attack. Because, many of the media reports are incorrect. GermanWiper is not ransomware. It’s worse than that.
GermanWiper is, as the name suggests, a type of malware known as a “wiper” – which overwrites data on your drives.
Compare that with ransomware, which encrypts your data. At least with ransomware you have the option – if you didn’t take the sensible precaution of making a secure backup before infection – of gambling that your malicious attackers might accept a ransom payment in exchange for a key to decrypt your precious data. With a wiper paying a ransom isn’t going to help you at all – the bad guys don’t have a copy of your data, they simply overwrote it with zeroes.
In other words, paying the attacker’s ransom demand is a waste of time (and money).
My advice? Make secure backups, folks.
Further reading: How to create a robust data backup plan (and make sure it works)
To learn more about backups, make sure that you listen to this episode of the “Smashing Security” podcast:
Smashing Security #043: 'Backups - a necessary evil?'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “GermanWiper isn’t ransomware. It’s worse than that”
Lena might be a tongue-in-cheek reference to Lenna
which was a test image derived from a centerfold picture of Lena Söderberg.
Ray, sounds like a stretch. However, if the next one is from a woman named "Teddi" that will definitely lend credence to the theory. :)
Why people don't learn the basics as: Don't open attachments from people you don't know or from emails you don't expect?
I use Linux and never had such problems.
Don't forget that, in this instance, the email purported to be a CV from someone applying for a job. HR departments find it perfectly normal to receive email attachments from people they don't know, applying for jobs.
Indeed, the soft underbelly of any organization is the HR department and the finance department. Both receive emails with attachments all the time and literally from everywhere and the only firewall capable of detecting if it's fake or not is the human behind the keyboard.
I'm actually surprised that this type of attack hadn't been tried earlier.
It's not that simple. There are many ways that one can be tricked into doing something. If you want to know the reason that social engineering and phishing is so commonly used you need only think about how easy humans are to manipulate. With not much thought you will know that it's used because it WORKS REALLY WELL. Kevin Mitnick knows this and it's what he is really good at. But never mind that.
As for Linux? Amusing that you think it's immune to malware. It's not. Never has been and never will be. Remember also that the infamous Morris Worm – from 1988 – exploited Unix boxes. There are other examples. Oh and let's see – what about some recent news? Maybe this?
It seems that even downloading it – but not opening it (and I invite you to think on how that could be complemented with this attack because it's an instructive to understand how things can be combined to be even more effective and dangerous) – can lead to a RCE. If that doesn't say enough to you I don't think anything else will.
There's one other thing though to consider that's not even to do with safe computing: ignorance and lack of awareness. Ask yourself this too: if you're unaware of this type of thing how can you even know that you're unaware that there is even the possibility? And then there are those who are vulnerable. It's never as simple as you're making it out to be. Life simply isn't simple and it's actually better; if it was simple what would we really have in comparison to now?