While it is quite clear that Hitler is a persona the majority of us would not have liked to meet in the real world and, luckily, none of us will be able to, now there is a highly malicious program, namely, the ransomware under the name of Hitler released, which, unfortunately, can be encountered in the cyber world. Though this ransomware is regarded as only a development version, it can cause great damage to your data files. Despite the fact that the hackers behind Hitler-Ransomware demand for the miserable 25 Euro Vodafone Card, you will never know, whether you will be given your data back or not. Let’s proceed with a more detailed analysis of Hitler virus.
About Hitler-Ransomware
Hitler malware cannot be considered as a cryptomalware or file-encrypting virus or as any similar cyber threat since, just like Ranscam ransomware, it does not encrypt data – it deletes it. This virus is also regarded as a test variant according to the same fact that it cannot perform any encryption processes and to the comments of the batch file:
Das ist ein Test
besser gesagt ein HalloWelt
copyright HalloWelt 2016
:d by CoolNass
Ich bin ein Pro
fuer Tools für Windows
As it is obvious from the comment, the developers are German-speaking hackers. It is to be translated as follows:
This is a test
rather a Hello World
copyright Hello World 2016
: D by Cool Wet
I am a Pro
for Tools for Windows
Hitler ransomware eliminates the filename extensions of the files from various directories. Then, a lock screen with a picture of Hitler performing the Nazi salute is displayed. A minor detail is that the word ‘‘ransomware’’ is misspelled and written as ‘‘ransonware’’. This ransom note declares the fact of encryption (which has never taken place, actually). It also contains a field for a cash code for a 25 Euro Vodafone Card to enter for decryption and the yellow ‘‘Decrypt’’ button is right below it, in the right corner. At the bottom of this screen there is a one hour countdown timer, which counts the time until your files are deleted. After an hour, this malicious program shuts down your computer. Then, restarts it and, upon restart, deletes all data present in the %User Profile% folder.
On a technical side, the executable of Hitler ransomware is a bundled batch file. When this file is executed, it eliminates the extensions of files of the following directories:
%userprofile%\Pictures
%userprofile%\Documents
%userprofile%\Downloads
%userprofile%\Music
%userprofile%\Videos
%userprofile%\Contacts
%userprofile%\Links
%userprofile%\Desktop
C:\Users\Public\Pictures\Sample Pictures
C:\Users\Public\Music\Sample Music
C:\Users\Public\Videos\Sample Videos
From the bundled batch file three files are extracted: ErOne.vbs, chrst.exe and firefox32.exe. These executables are placed into the %Temp% directory. The third executable file, that is firefox32.exe is also dropped in the Startup folder so that it ran on the startup. When the ErOne.vbs is executed, it displays the warning, ‘‘The file could not be found!’’, when the user tries to open any of the targeted files. This notification is aimed to deceive the victim into thinking that there is something wrong with the program he or she uses for opening the corrupted file. Then, the chrst.exe file is executed, which displays the ransom note described in detail above. When the timer counts one hour, csrss.exe process is terminated to induce BSOD (the Blue Screen of Death) or, in other words, a system crash. When your computer is restarted, firefox32.exe runs to delete the files stored on the %UserProfile% directory.
How is Hitler-Ransomware Distributed?
There are no specific ways Hitler virus enters the operating system running on your computer. It travels the beaten paths of other like threats. These include the spam e-mail attacks and the system vulnerabilities exploited by exploits. The spam e-mails are infected with the malicious code of the virus in either way: either through links in the e-mail or through the attachments added to the e-mail. The appearances of these e-mails are deceptive. They can appear as official letters or documents, contain logos, etc. Do not take that for granted since their only spam e-mails. They can take advantage of your curiosity by leaving the sender’s line blank. Do not fall for that. The other distribution method of Hitler-Ransomware regards the system cracks, which are sniffed by exploits such as Angler, Nuclear, Blackhole EKs, when you visit some questionable domains. So you better updated your software from reliable sources and had a professional security software installed, as well as updated .
How to Decrypt Files Encrypted by Hitler-Ransomware?
For preventative measures you can configure Windows not to automatically reboot after a crash has taken place. Since Hitler malware deletes your data upon the restart. But this will only help you, if this nasty virus has not infected your computer’s system. Most probably, you already have it on your computer. In the latter case, your primary concern is the removal of this malware. Apply professional automatic malware removal tools like Spyhunter or Malwarebytes. To retrieve your data use your back up (recommended), check the Shadow Volume Copies, try professional data recovery tools, such as the products of Kaspersky Lab, R-Studio, Recuva, PhotoRec, etc., as a last resort. The removal of Hitler ransomware can also be accomplished complying with the instructions provided below.
Update of the 6th of February, 2017. Hitler ransomware has been silent for a while, but now, security experts noted that a new and allegedly final version of this infection is tormenting Internet users. The ransom note it displays can be found above.
Hitler Ransomware quicklinks
- About Hitler-Ransomware
- How is Hitler-Ransomware Distributed?
- How to Decrypt Files Encrypted by Hitler-Ransomware?
- Automatic Malware removal tools
- How to recover Hitler Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Hitler Ransomware encrypted files
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to recover Hitler Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Hitler-Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Hitler Ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Hitler-Ransomware. You can check other tools here.Step 3. Restore Hitler Ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Hitler-Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Hitler Ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.
