# Discord Nitro gift codes now demanded as ransomware payments **[bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/](https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) April 18, 2021 02:10 PM 3 In a novel approach to ransom demands, a new ransomware calling itself 'NitroRansomware' encrypts victim's files and then demands a Discord Nitro gift code to decrypt files. While Discord is free, they offer a Nitro subscription add-on for $9.99 per month that provides additional perks, such as larger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server, so its users enjoy extra functionality as well. When purchasing a Nitro subscription, users can apply it to their own account or buy it as a gift for another person. When gifting, the purchaser will be given an URL in the format https://discord.gift/[code], which can then be given to another Discord user. ----- **Gifting a Nitro subscription** ## Not your typical ransom demand While most ransomware operations demand thousands, if not millions, of dollars in cryptocurrency, Nitro Ransomware deviates from the norm by demanding a $9.99 Nitro Gift code instead. [Based on filenames for NitroRansomware samples shared by MalwareHunterteam and](https://twitter.com/malwrhunterteam) analyzed by BleepingComputer, this new ransomware appears to be distributed as a fake tool stating it can generate free Nitro gift codes. When executed, the ransomware will encrypt a person's files and append the .givemenitro extension to encrypted files, as shown below. ----- **Files encrypted by the NitroRansomware** When finished, NitroRansomware will change the user's wallpaper to an evil or angry Discord logo, as shown below. **Wallpaper changed to angry Discord logo** ----- A ransomware screen will then be displayed demanding a free Nitro gift code within three hours, or ransomware will delete the victim's encrypted files. This timer appears to be an idle threat as the ransomware samples seen by BleepingComputer do not delete any files when the timer reaches zero. **NitroRansomware screen** When a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL, as shown below. If a valid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key. **Checking if a Discord Nitro gift code is valid** As the decryption keys are static and are contained within the ransomware executable, it is possible to decrypt the files without actually paying the Nitro gift code ransom. ----- Therefore, if you fall victim to this ransomware, you can share a link for the executable to extract a decryption key. Unfortunately, in addition to encrypting your files, the Nitro Ransomware will also perform other malicious activity on a victim's computer. ## Stealing tokens and executing commands It would not be Discord-related malware if the threat actors didn't try to steal a victim's Discord tokens. Discord tokens are authentication keys tied to a particular user, that when stolen, allow a threat actor to log in as the associated user. When NitroRansomware starts, it will search for a victim's Discord installation path and then extract user tokens from the *.ldb files located under "Local Storage\leveldb." These tokens are then sent back to the threat actor over a Discord webhook. **Stealing Discord user tokens** As part of this process, the malware will also attempt to steal data from Google Chrome, Brave Browser, and Yandex Browser. NitroRansomware also includes functionality to execute commands and have the output sent through the webhook to the attacker's Discord channel. This is currently only used to get the computer's UUID using the 'wmic csproduct get uuid' command. ----- **Acting as a backdoor to execute remote commands** The good news is that this ransomware does not do a good job hiding its decryption key, and users can recover their files for free. However, the bad news is that the threat actor will likely have already stolen a user's Discord token. Due to this, users infected with this ransomware should immediately change their Discord password in case their account has been compromised. _Update 4/19/21: Added that the malware also steals information from browsers._ ### Related Articles: [Eternity malware kit offers stealer, miner, worm, ransomware tools](https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/) [Beware: Onyx ransomware destroys files instead of encrypting them](https://www.bleepingcomputer.com/news/security/beware-onyx-ransomware-destroys-files-instead-of-encrypting-them/) [Ransom payment is roughly 15% of the total cost of ransomware attacks](https://www.bleepingcomputer.com/news/security/ransom-payment-is-roughly-15-percent-of-the-total-cost-of-ransomware-attacks/) [FIN7 hackers evolve toolset, work with multiple ransomware gangs](https://www.bleepingcomputer.com/news/security/fin7-hackers-evolve-toolset-work-with-multiple-ransomware-gangs/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Discord](https://www.bleepingcomputer.com/tag/discord/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Nitro](https://www.bleepingcomputer.com/tag/nitro/) [Ransom](https://www.bleepingcomputer.com/tag/ransom/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Token](https://www.bleepingcomputer.com/tag/token/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence ----- Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/us-sanctions-cryptocurrency-addresses-linked-to-russian-cyberactivities/) [Next Article](https://www.bleepingcomputer.com/news/security/wordpress-may-automatically-disable-google-floc-on-websites/) ### Comments [SSM230 - 1 year ago](https://www.bleepingcomputer.com/forums/u/1201533/ssm230/) not trying to sound like i'm advocating for anything bad, but If the info and the nitro gift gets sent trough a webhook, it's possible to remove it by sending a DELETE request to it (if said webhook is easily accesible), hopefully someone has done this already [Plutie - 1 year ago](https://www.bleepingcomputer.com/forums/u/1163219/plutie/) reported it to discord already through a partner friend of mine, hopefully all nitro should be refunded, along with server removal/nuke. [TsVk! - 1 year ago](https://www.bleepingcomputer.com/forums/u/832774/tsvk/) Quite ironic really, people who are trying to steal nitro end up buying it for someone else just to keep their stuff. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ----- ### You may also like: -----