Bleeping Computer reported on the ransomware NitroRansomware, which encrypts victims’ files, steals information from browsers, and then demands Discord Nitro gift codes to pay the ransom.
Although Discord itself is free, users can purchase a Nitro subscription for $9.99 a month, which provides access to premium features including increased download size, improved emoji, animated avatars, and more.Moreover, a Nitro subscription can be applied both to your account and bought as a gift for another person. In the second case, the buyer will be provided with a URL in the format https://discord.gift/code, which can then be shared with another Discord user.
Based on the filenames from the NitroRansomware samples provided to MalwareHunterteam reporters, the ransomware is being distributed under the guise of a fake tool to generate free Nitro gift codes. Once launched, the malware encrypts the victim’s files and adds the .givemenitro extension to them.
The ransomware will then change the user’s wallpaper and show a ransom screen, demanding to provide a free Nitro gift code within three hours, otherwise, the malware threatens to delete all encrypted files. This, according to journalists, is an empty threat and NitroRansomware does not delete files when the timer reaches all zeros.
When a user provides malware with a Nitro gift code URL, the ransomware validates it using the Discord API, as shown below. If the gift code link is valid, the ransomware will decrypt the files using the built-in static decryption key.
Unfortunately, ransomware is not limited to data encryption alone. Attackers also try to steal the victim’s Discord tokens (authentication keys associated with a specific user) and steal data from Chrome, Brave, and Yandex Browser browsers. Because of this, victims of NitroRansomware are advised to change their Discord passwords immediately after the attack.
Overall, it is a funny extortionist. But there are also quite cute ones, for example, I wrote that Ziggy ransomware operator returns money to victims.