Nitro Ransomware

Several ransomware families have already been observed to be using Discord webhooks for communication and exfiltrate data from compromised systems. However, the cybercriminals behind the Nitro Ransomware have taken it a step further, as instead of the usual ransom paid in one of the popular cryptocurrencies they demand from their victims a payment in Discord Nitro gift cards.

Discord is one of the most popular social platforms among computer users. Starting as a VoIP (Voice over IP) service catered towards PC players, the application has since then expanded into a full-fledged platform that allows users to send messages, conduct audio and video calls, send files, and communicate through either private chats or communities called servers. On top of its free tier, Discord offers paid subscriptions for the 'Nitro' upgrade priced at $9.99. For that prices, users get an expanded limit on uploaded files, HD video streaming, additional emojis, and the option to promote servers. The NitroRansomware operators are focusing on those Nitro subscriptions exactly. 

Static Decryption Key and Discord Gift Codes

The Nitro Ransomware is being distributed under the guise of a software tool that is supposedly capable of generating free Nitro gift codes. Users who wish to obtain such codes through illicit means are instead infected with the malware threat. The files on the compromised computers will then be locked through an encryption routine. Each affected file will have '.givemenitro' appended to its name as a new extension. After the encryption process has been completed, the Nitro Ransomware will change the default wallpaper of the system with an image of a modified Discord logo and display its ransom note in a pop-up window. 

According to the instructions, users have 3 hours to provide a valid Discord Nitro gift code into the appropriate field to decrypt their files. If the time expires, the hackers threaten that all of the encrypted data will be deleted and lost forever. This, however, is just an empty threat as analysis of the underlying code has revealed that no files will be deleted when the timer runs out. Furthermore, the Nitro Ransomware uses an embedded static decryption key to free the user files whenever an appropriate gift code is provided. The use of static keys means that a potential decryptor could be created so users may get their files for free without engaging with the hackers at all. 

The Nitro Ransomware Has Expanded a Threatening Functionality

The nefarious capabilities of the Nitro Ransomware go beyond file locking. The threat also can act as a backdoor allowing the hackers to execute arbitrary commands on the compromised system remotely. All results can then be sent to the attacker's Discord channel through webhooks. The Nitro Ransomware also can collect Discord tokens from its victims that can then be used to breach the associated Discord servers. 

Apart from trying to recover their encrypted files, victims of the Nitro Ransomware also are strongly encouraged to change their Discord passwords as soon as possible. Another preventive measure to stop any potential follow-up attacks is to scan the infected system for additional malware payloads that might have been delivered. Finally, check for any new Windows accounts that might have been created by the attackers and delete them immediately.