{
	"id": "47aa239d-7c87-44d4-ae83-0efe8563304f",
	"created_at": "2026-04-06T00:21:20.493829Z",
	"updated_at": "2026-04-10T03:20:17.901171Z",
	"deleted_at": null,
	"sha1_hash": "54428e7ec5af26b30e2505cd3628f06bd814dc4e",
	"title": "Cooking Up Autumn (Herbst) Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1386330,
	"plain_text": "Cooking Up Autumn (Herbst) Ransomware\r\nBy Rommel Abraham D Joven\r\nPublished: 2016-06-03 · Archived: 2026-04-05 15:25:19 UTC\r\nFortiguard’s behavior-based system designed to identify new malware has detected a German targeted\r\nransomware. We named it Herbst, a German word which in English means Autumn. \r\nRansom Note\r\nThe Herbst ransom note appears in German in a dedicated window from its own running process. It demands that\r\na ransom be paid in bitcoin. We have also been able to determine the bitcoin address. Ransome note details are\r\nlisted below:\r\nFile encryption: AES 256 bit\r\nRansom Price: 0.1 Bitcoin or approximately USD $53.80 as of today.\r\nBitcoin Address: 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq\r\nFigure 01: Ransom Note\r\nhttps://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nPage 1 of 5\n\nKey Preparation\r\nThe key is prepared by concatenating two random numbers from 0 to 99999999. Next, it concatenates strings in\r\nrandom positions from the text variable, text.length times, as seen below. This key is hashed later and used as the\r\nAES key.\r\nFigure 02: Key Preparation Function\r\nTargeted Directories\r\nAfter preparing the key, Herbst proceeds to enumerate files from the StartupPath. It encrypts all kinds of files in\r\nthis directory, as shown by “*.*”.\r\nIt encrypts file in the following special folders:\r\nDesktop, MyPictures, MyMusic, and Personal\r\nFigure 03: File Enumeration\r\nEncrypted File\r\nThe ransomware encrypts files and appends the extension to .herbst.\r\nhttps://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nPage 2 of 5\n\nFigure 04: Encrypted File Sample\r\nFile Encryption\r\nThe encryption starts by reading the file and calling the function AES_Encrypt.\r\nFigure 05: Encryption Function\r\nThe malware then proceeds to hash the key generated from the previous function, and this is used as the AES key\r\nfor encrypting the files. After the file is encrypted with AES 256 bit, the malware then converts it to\r\nBase64String. \r\nFigure 06: AES Encryption Function\r\nhttps://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nPage 3 of 5\n\nFigure 07: File Structure Before and After Encryption\r\nUnfinished Business\r\nThis malware, written in C#, shows it’s unfinished because it has the following functions, but never calls them in\r\nthe main function:\r\nEncrypt – believed to be the function in encrypting the AES key used before sending to the Command and\r\nControl (C\u0026C.)\r\nUnlock – believed to be the decryption of the incoming traffic from the C\u0026C.\r\nHttp – believed to be used to send and receive encrypted messages to the C\u0026C.\r\nhttps://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nPage 4 of 5\n\nFigure 08: Malware Functions\r\nYes, the malware encrypts files and shows the decryption note; however ,it doesn’t send the AES key used to its\r\nC\u0026C, and doesn’t verify the transaction ID when used in the ransom window, making this an unfinished\r\nransomware.\r\nConclusion\r\nOur analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. From the\r\nanalysis, we conclude that Herbst is a beta version which is still under development. The malware doesn’t provide\r\nany details on its C\u0026Cs because it doesn’t call the HTTP function. We speculate that this version could just be a\r\ntest to check AV vendors’ ability to detect it without giving away their C\u0026C. \r\nFortiguard will continue to monitor Herbst future activities and developments.\r\nFile detection: W32/Herbst.A!tr\r\nSHA256: 18605f7a5a47ac16f722e3ec8a42121035bb95f731aaad5090c5e11104fc3185\r\n-=FortiGuard Lion Team=-\r\nSource: https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nhttps://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware"
	],
	"report_names": [
		"cooking-up-autumn-herbst-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434880,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54428e7ec5af26b30e2505cd3628f06bd814dc4e.pdf",
		"text": "https://archive.orkl.eu/54428e7ec5af26b30e2505cd3628f06bd814dc4e.txt",
		"img": "https://archive.orkl.eu/54428e7ec5af26b30e2505cd3628f06bd814dc4e.jpg"
	}
}