A new form of ransomware was discovered in the wild channels Godwin’s Law, using Hitler’s name quite literally in its attempts to shake down victims.

Dubbed Hitler-Ransomware (be it misspelled in the lock screen as Hitler-Ransonware), shows a device lock screen displaying Hitler, telling those infected that their files are encrypted, and then demands a 25 Euro ($27.88) Vodafone card code as ransom to decrypt the files.

The code, believed to be a test variant, is about as successful as the Battle of the Bulge in terms of implementation, with no files actually being encrypted at all.

“Instead, this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one-hour countdown as shown in the lock screen below” Bleeping Computer reports. “After that hour it will crash the victim’s computer, and on reboot, delete all of the files under the %UserProfile% of the victim.”

Perhaps without irony (or with it), the same report claims that the developer appears to be German, based on German text found within an embedded batch file.

According to the research, the ransomware’s executable is a batch file that has been converted into an installer executable that is added to bundles of other applications; upon execution, the ransomware runs a batch file destined to remove all file extensions for the files in the %UserProfile% Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop folders.

Once on its merry way, the ransomware then moves three files into the %Temp% folder on the victim’s machine, chrst.exe, ErOne.vbs, and firefox32.exe, as well as moving the firefox32.exe file into the Common Startup folder to ensure that it runs at boot.

Its next move is to use the ErOne.vbs script to display an alert saying “The file could not be found!” in an effort to make the person with the infected computer believe that the program didn’t work correctly, followed by the execution of the chrset.exe file to display the lock screen and to start a timer.

Upon reaching the end of the countdown the program terminates the csrss.exe process and causes Windows to crash, resulting in a reboot; once the machine reboots all files under the victims %UserProfile% folder are deleted.

Fourth Reich

While out in the wild there’s both good news and bad news, the good new being that as it stands the malware is poorly written and easy to address, but this could change with later versions.

If you’re worried about being attacked by the Fourth Reich of computer malware, as always we recommend you practice safe internet, be careful with what you download, and always have an up-to-date virus scanner.

Image credit: public domain CC0