Cooking Up Autumn (Herbst) Ransomware
By Rommel Abraham D Joven
Published: 2016-06-03 · Archived: 2026-04-05 15:25:19 UTC
Fortiguard’s behavior-based system designed to identify new malware has detected a German targeted
ransomware. We named it Herbst, a German word which in English means Autumn. 
Ransom Note
The Herbst ransom note appears in German in a dedicated window from its own running process. It demands that
a ransom be paid in bitcoin. We have also been able to determine the bitcoin address. Ransome note details are
listed below:
File encryption: AES 256 bit
Ransom Price: 0.1 Bitcoin or approximately USD $53.80 as of today.
Bitcoin Address: 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq
Figure 01: Ransom Note
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Page 1 of 5

Key Preparation
The key is prepared by concatenating two random numbers from 0 to 99999999. Next, it concatenates strings in
random positions from the text variable, text.length times, as seen below. This key is hashed later and used as the
AES key.
Figure 02: Key Preparation Function
Targeted Directories
After preparing the key, Herbst proceeds to enumerate files from the StartupPath. It encrypts all kinds of files in
this directory, as shown by “*.*”.
It encrypts file in the following special folders:
Desktop, MyPictures, MyMusic, and Personal
Figure 03: File Enumeration
Encrypted File
The ransomware encrypts files and appends the extension to .herbst.
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Page 2 of 5

Figure 04: Encrypted File Sample
File Encryption
The encryption starts by reading the file and calling the function AES_Encrypt.
Figure 05: Encryption Function
The malware then proceeds to hash the key generated from the previous function, and this is used as the AES key
for encrypting the files. After the file is encrypted with AES 256 bit, the malware then converts it to
Base64String. 
Figure 06: AES Encryption Function
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Page 3 of 5

Figure 07: File Structure Before and After Encryption
Unfinished Business
This malware, written in C#, shows it’s unfinished because it has the following functions, but never calls them in
the main function:
Encrypt – believed to be the function in encrypting the AES key used before sending to the Command and
Control (C&C.)
Unlock – believed to be the decryption of the incoming traffic from the C&C.
Http – believed to be used to send and receive encrypted messages to the C&C.
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Page 4 of 5

Figure 08: Malware Functions
Yes, the malware encrypts files and shows the decryption note; however ,it doesn’t send the AES key used to its
C&C, and doesn’t verify the transaction ID when used in the ransom window, making this an unfinished
ransomware.
Conclusion
Our analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. From the
analysis, we conclude that Herbst is a beta version which is still under development. The malware doesn’t provide
any details on its C&Cs because it doesn’t call the HTTP function. We speculate that this version could just be a
test to check AV vendors’ ability to detect it without giving away their C&C. 
Fortiguard will continue to monitor Herbst future activities and developments.
File detection: W32/Herbst.A!tr
SHA256: 18605f7a5a47ac16f722e3ec8a42121035bb95f731aaad5090c5e11104fc3185
-=FortiGuard Lion Team=-
Source: https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Page 5 of 5