GermanWiper isn’t ransomware. It’s worse than that

GermanWiper isn't ransomware. It's worse than that

The tech press is full of stories about “a new ransomware strain” called GermanWiper, that has hit German businesses hard in the last week.

GermanWiper, rather like a typical ransomware attack, arrives in your inbox in the form of an email. In this case samples have been seen purporting to be a job application from a person called Lena Kretschmer.

Sehr geehrte Damen und Herren,
mit großem Interesse bin ich im Internet auf Ihre ausgeschriebene Position aufmerksam geworden. Ich möchte mich gerne einer neuen beruflichen Herausforderung stellen. Mit mir gewinnt Ihr Unternehmen einen leistungsbereiten Mitarbeiter. Ich widme mich meinen neuen Aufgaben und Herausforderungen stets mit großer Motivation und vollem Einsatz. Einen Einstieg bei Ihnen zum nächstmöglichen Zeitpunkt steht nichts entgegen. Gerne gebe ich Ihnen einen weiteren Eindruck in einem persönlichen Gespräch. Ich freue mich über Ihre Einladung

Mit freundlichen Grüßen

Lena Kretschmer

Anlagen: Arbeitszeugnisse, Lebenslauf, Bewerbungsfoto

Attached to the email is a photograph (with the filename Lena_Kretschmer_Bewerbingsfoto.jpg), and a ZIP archive file (Unterlagen_Lena_Kretschmer.zip). Inside the ZIP file is a .LNK shortcut.

Clicking on the .LNK shortcut is, of course, a big mistake as your Windows computer will download a nasty malware infection from GermanWiper.

After it has done its dirty work, GermanWiper displays a ransom message requesting payment.

Ransom demand

I did a reverse image search on the photograph attached to the email, and found this image by Berlin-based photographer Michel Buchmann, who – coincidentally – has a webpage describing how you should write a CV if you want to apply for a job in Germany.

It should go without saying that Michel and the model (whose real name apparently is Luisa) are not connected with the malware attack. Furthermore, the attack could easily be modified to use different wording, have a different applicant’s name, different filenames, even be written in a different language.

But there’s another important issue to consider with this malware attack. Because, many of the media reports are incorrect. GermanWiper is not ransomware. It’s worse than that.

GermanWiper is, as the name suggests, a type of malware known as a “wiper” – which overwrites data on your drives.

Compare that with ransomware, which encrypts your data. At least with ransomware you have the option – if you didn’t take the sensible precaution of making a secure backup before infection – of gambling that your malicious attackers might accept a ransom payment in exchange for a key to decrypt your precious data. With a wiper paying a ransom isn’t going to help you at all – the bad guys don’t have a copy of your data, they simply overwrote it with zeroes.

In other words, paying the attacker’s ransom demand is a waste of time (and money).

My advice? Make secure backups, folks.

Further reading: How to create a robust data backup plan (and make sure it works)

To learn more about backups, make sure that you listen to this episode of the “Smashing Security” podcast:

Smashing Security #043: 'Backups - a necessary evil?'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

6 comments on “GermanWiper isn’t ransomware. It’s worse than that”

  1. Ray

    Lena might be a tongue-in-cheek reference to Lenna
    https://en.wikipedia.org/wiki/Lenna
    which was a test image derived from a centerfold picture of Lena Söderberg.
    https://en.wikipedia.org/wiki/Lena_S%C3%B6derberg

  2. Chris

    Ray, sounds like a stretch. However, if the next one is from a woman named "Teddi" that will definitely lend credence to the theory. :)

  3. Alinka

    Why people don't learn the basics as: Don't open attachments from people you don't know or from emails you don't expect?

    I use Linux and never had such problems.

    1. Graham CluleyGraham Cluley · in reply to Alinka

      Don't forget that, in this instance, the email purported to be a CV from someone applying for a job. HR departments find it perfectly normal to receive email attachments from people they don't know, applying for jobs.

      1. Dirk Jumpertz · in reply to Graham Cluley

        Indeed, the soft underbelly of any organization is the HR department and the finance department. Both receive emails with attachments all the time and literally from everywhere and the only firewall capable of detecting if it's fake or not is the human behind the keyboard.

        I'm actually surprised that this type of attack hadn't been tried earlier.

    2. coyote · in reply to Alinka

      It's not that simple. There are many ways that one can be tricked into doing something. If you want to know the reason that social engineering and phishing is so commonly used you need only think about how easy humans are to manipulate. With not much thought you will know that it's used because it WORKS REALLY WELL. Kevin Mitnick knows this and it's what he is really good at. But never mind that.

      As for Linux? Amusing that you think it's immune to malware. It's not. Never has been and never will be. Remember also that the infamous Morris Worm – from 1988 – exploited Unix boxes. There are other examples. Oh and let's see – what about some recent news? Maybe this?

      https://thehackernews.com/2019/08/kde-desktop-linux-vulnerability.html?m=1

      It seems that even downloading it – but not opening it (and I invite you to think on how that could be complemented with this attack because it's an instructive to understand how things can be combined to be even more effective and dangerous) – can lead to a RCE. If that doesn't say enough to you I don't think anything else will.

      There's one other thing though to consider that's not even to do with safe computing: ignorance and lack of awareness. Ask yourself this too: if you're unaware of this type of thing how can you even know that you're unaware that there is even the possibility? And then there are those who are vulnerable. It's never as simple as you're making it out to be. Life simply isn't simple and it's actually better; if it was simple what would we really have in comparison to now?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.