These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart. In February for instance, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to Gemini Advisors. Stolen gift and loyalty codes and cards can be big business on the cyber-underground. Obviously this one is a bit dumb, but BEC realised a while ago iTunes gift cards and such are great for money laundering – get victim to buy multiple gift cards, then criminal infrastructure exists for reselling gift cards, laundering to fake ebooks, apps etc. Why gift codes? They can be resold, and also can be used for money laundering, researcher Kevin Beaumont pointed out. And, also, users should check for new user accounts in Windows that they did not create and remove them if found.
MalwareHunterTeam also noted that the malware steals Discord tokens from victims as well, which would allow attackers to hack Discord servers.Īnd, “NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel,” said Heimdal’s Chirica.Ĭhirica recommended that users infected with the ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer.
The outlet’s analysis also pointed out that because the decryption keys are static, it’s possible to extract a decryption key from the executable itself, so there’s no real need to pay the $9.99. If the timer ticks down to zero, no files are actually deleted. However, the three-hour limit appears to be a scareware tactic. At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.”Īccording to an analysis by Bleeping Computer, the ransomware verifies that the provided Discord gift codes are valid, and decrypts the files using an embedded static decryption key. “The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files. “Upon executing the ransomware, it will encrypt the victim’s file and will give three hours to them to provide a valid Discord Nitro ,” explained Heimdal Security researcher Cezarina Chirica, in a Monday posting.
It’s being distributed as a purported free gift-code generator for Nitro.
Initially spotted by MalwareHunterTeam, other researchers looked into how the code works. The NitroRansomware operators are apparently extremely interested in Nitro subscriptions. While it’s free, users can purchase an upgraded “Nitro” subscription for $9.99 that allows larger upload sizes, HD video streaming, better emoji options and the ability to “stand out” via promotions on servers. Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work.