Hitler Ransomware

Hitler Ransomware is officially a thing, and it was first discovered on August 6, 2016. Despite its eye-catching name, this ransomware is not unique by any measure. It is set to modify and, thus, ruin your files and demand that you pay a ransom to get them back. It does not encrypt the files so fixing them is not difficult. Now, the method used to pay the ransom is rather odd since the cyber criminals do not ask to pay it in Bitcoins, but to use an entirely different payment platform. We regard it as a low-grade ransomware because you can trick it and get your files back free of charge. However, you have to remove Hitler Ransomware before you attempt to fix the files because it will delete them if you allow it to remain.

This ransomware is pretty basic, so its distribution method is basic as well. Its unknown creators have set up a server that sends email spam to random email addresses. The emails can be presented as invoices from various international shipping companies. They contain fake attachments that can look like PDF or DOC files but do not open when launched. However, the fake attachment files start this ransomware that immediately drops its malicious files onto your computer.

We have obtained a sample of this malicious application and tested it. We found that when you open the malicious attachment, it silently drops two files called chrst.exe and firefox32.exe to %TEMP%\[random name].tmp. chrst.exe is immediately executed. This executable does not encrypt the files but rather removes their extensions. So if you have an image file named picture.jpeg, then the .jpeg part is erased. As a result, you cannot open the file which may look like it has been encrypted. However, you can just right-click the file and select Rename. Then, add the .jpeg extension manually. Note that this will only work if you enter the correct extension name, so doing this manually to thousands of files is time-consuming and frankly not guaranteed to work. A third file also called firefox32.exe is dropped in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and it is set to delete the files without an extension when a timer runs out. Take note that this file will initiate the erasure of your files if you reboot your PC, so do not do that until you have neutralized this ransomware.

Testing has shown that this ransomware is set to remove the extensions from files located in file paths that include %USERPROFILE%\Desktop, %USERPROFILE%\Music, %USERPROFILE%\Pictures, %USERPROFILE%\Documents, and %USERPROFILE%\Downloads. The ransomware will also open a GUI (Graphical User Interface) window that features the picture of Adolph Hitler, hence the name Hitler Ransomware. It claims that your files have been encrypted which is, as you now know, false. It also has a timer that gives you one hour to pay the ransom. If you do not pay the ransom, then the affected files will be erased, and the computer will get a BSoD error and restart.

The cyber criminals want you to pay the ransom by purchasing a 25 Euro Vodafone Card and entering the code in the text box found on its GUI. This payment method is unlike what we have seen before. It is much easier than paying using Bitcoins. However, it has its limitations. Only users that live a country that sells those codes can purchase them and attempt to enter the code. However, this system does not look foolproof, and the chances are that you will not get your files back after you have paid, but as mentioned earlier. You do not have to purchase the code because you can get your files back for free.

In closing, Hitler Ransomware is a low-grade infection but one that still poses a threat as it can erase your files if you restart your PC or when the one-hour timer runs out. If you act quickly, then you can save most if not all of your files by removing this ransomware and adding the missing file extension names manually. Please consult the instructions on how to delete Hitler Ransomware’s files.

Removal Instructions

1. Press Alt+F4 to terminate this ransomware’s process.
2. Find and remove chrst.exe and firefox32.exe files in %TEMP%\[random name].tmp
3. Press Windows+E keys and enter the following file paths in the address box.
   • For Windows XP: %ALLUSERSPROFILE%\Start Menu\Programs\Startup\firefox32.exe
   • For Windows Vista and over: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe
4. Delete the copy of firefox32.exe from the Startup folder.
5. Right-click on each affected file and append its name with the correct extension.