{ "id": "63b6d2fc-8833-4580-b2f5-4e844ba0a2e6", "created_at": "2026-04-06T00:18:51.097355Z", "updated_at": "2026-04-10T03:26:37.610829Z", "deleted_at": null, "sha1_hash": "7ce57f550b3ea50559b02f8fb6540fa8fc466844", "title": "Discord Nitro gift codes now demanded as ransomware payments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2678731, "plain_text": "Discord Nitro gift codes now demanded as ransomware payments\r\nBy Lawrence Abrams\r\nPublished: 2021-04-18 · Archived: 2026-04-05 12:53:05 UTC\r\nIn a novel approach to ransom demands, a new ransomware calling itself 'NitroRansomware' encrypts victim's files and then\r\ndemands a Discord Nitro gift code to decrypt files.\r\nWhile Discord is free, they offer a Nitro subscription add-on for $9.99 per month that provides additional perks, such as\r\nlarger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server, so its users enjoy extra\r\nfunctionality as well.\r\nWhen purchasing a Nitro subscription, users can apply it to their own account or buy it as a gift for another person. When\r\ngifting, the purchaser will be given an URL in the format https://discord.gift/[code], which can then be given to another\r\nDiscord user.\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nGifting a Nitro subscription\r\nNot your typical ransom demand\r\nWhile most ransomware operations demand thousands, if not millions, of dollars in cryptocurrency, Nitro Ransomware\r\ndeviates from the norm by demanding a $9.99 Nitro Gift code instead.\r\nBased on filenames for NitroRansomware samples shared by MalwareHunterteam and analyzed by BleepingComputer, this\r\nnew ransomware appears to be distributed as a fake tool stating it can generate free Nitro gift codes.\r\nWhen executed, the ransomware will encrypt a person's files and append the .givemenitro extension to encrypted files, as\r\nshown below.\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 3 of 7\n\nFiles encrypted by the NitroRansomware\r\nWhen finished, NitroRansomware will change the user's wallpaper to an evil or angry Discord logo, as shown below.\r\nWallpaper changed to angry Discord logo\r\nA ransomware screen will then be displayed demanding a free Nitro gift code within three hours, or ransomware will delete\r\nthe victim's encrypted files. This timer appears to be an idle threat as the ransomware samples seen by BleepingComputer do\r\nnot delete any files when the timer reaches zero.\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 4 of 7\n\nNitroRansomware screen\r\nWhen a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL, as shown below. If a\r\nvalid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key.\r\nChecking if a Discord Nitro gift code is valid\r\nAs the decryption keys are static and are contained within the ransomware executable, it is possible to decrypt the files\r\nwithout actually paying the Nitro gift code ransom.\r\nTherefore, if you fall victim to this ransomware, you can share a link for the executable to extract a decryption key.\r\nUnfortunately, in addition to encrypting your files, the Nitro Ransomware will also perform other malicious activity on a\r\nvictim's computer.\r\nStealing tokens and executing commands\r\nIt would not be Discord-related malware if the threat actors didn't try to steal a victim's Discord tokens.\r\nDiscord tokens are authentication keys tied to a particular user, that when stolen, allow a threat actor to log in as the\r\nassociated user.\r\nWhen NitroRansomware starts, it will search for a victim's Discord installation path and then extract user tokens from the\r\n*.ldb files located under \"Local Storage\\leveldb.\" These tokens are then sent back to the threat actor over a Discord\r\nwebhook.\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 5 of 7\n\nStealing Discord user tokens\r\nAs part of this process, the malware will also attempt to steal data from Google Chrome, Brave Browser, and Yandex\r\nBrowser. \r\nNitroRansomware also includes functionality to execute commands and have the output sent through the webhook to the\r\nattacker's Discord channel. This is currently only used to get the computer's UUID using the 'wmic csproduct get uuid'\r\ncommand.\r\nActing as a backdoor to execute remote commands\r\nThe good news is that this ransomware does not do a good job hiding its decryption key, and users can recover their files for\r\nfree.\r\nHowever, the bad news is that the threat actor will likely have already stolen a user's Discord token.\r\nDue to this, users infected with this ransomware should immediately change their Discord password in case their account\r\nhas been compromised.\r\nUpdate 4/19/21: Added that the malware also steals information from browsers.\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nhttps://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/" ], "report_names": [ "discord-nitro-gift-codes-now-demanded-as-ransomware-payments" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434731, "ts_updated_at": 1775791597, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ce57f550b3ea50559b02f8fb6540fa8fc466844.pdf", "text": "https://archive.orkl.eu/7ce57f550b3ea50559b02f8fb6540fa8fc466844.txt", "img": "https://archive.orkl.eu/7ce57f550b3ea50559b02f8fb6540fa8fc466844.jpg" } }