{
	"id": "4e821bfd-d67a-494f-bfcb-6f5df5c2adf7",
	"created_at": "2026-04-06T00:17:55.442403Z",
	"updated_at": "2026-04-10T03:26:37.671218Z",
	"deleted_at": null,
	"sha1_hash": "838b10804c5a3f4a665269e6df650e7095b11006",
	"title": "GitHub - NightfallGT/Nitro-Ransomware: Discord nitro gift subscription ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 277227,
	"plain_text": "GitHub - NightfallGT/Nitro-Ransomware: Discord nitro gift\r\nsubscription ransomware\r\nBy NightfallGT\r\nArchived: 2026-04-05 22:45:39 UTC\r\nNitro Ransomware - Proof of Concept\r\nUses Discord nitro gift subscription as ransom. C# Ransomware for educational purposes only\r\nAbout\r\nRansomware is a type of malware that prevents or limits users from accessing their files in their sysem. It locks\r\nthe user's files until the ransom is paid, in this case, a Discord nitro subscription. If a user wants to unlock their\r\nfiles, a decryption key is needed. The ransomware asks for the ransom in exchange for the decryption key.\r\nDisclaimer\r\nThis Ransomware should not be used to harm/threat/hurt others. Its purpose is only to share knowledge and\r\nawareness about Malware/Cryptography/Operating Systems/Programming. NitroRansomware is an academic\r\nransomware made for learning and spreading awareness about how security/cryptography can be used maliciously.\r\nHow it works\r\nWhen the .exe file is run, it encrypts the user's Documents, Desktop, and Pictures folder. It then recursively checks\r\nfor any nested folders in the folders, and encrypts all of its contents. In order to decrypt the files, the user has to\r\npaste a valid Discord nitro gift subscription and submit it. The program checks if it is valid, and if it is, it is sent to\r\nyour webhook. The user receives the decryption key which allows them to decrypt the encrypted files. If it is not,\r\nthe decrypion key will not be sent, and the user wil not be able to open their files.\r\nThis program should only be used for educational purposes only. Do not use this on others maliciously.\r\nPreview\r\nWebhook Preview\r\nhttps://github.com/nightfallgt/nitro-ransomware\r\nPage 1 of 3\n\nRansomware\r\nFeatures\r\nAES Encryption/ Decryption\r\nAdds to startup registry\r\nGrabs user's PC username, name, and uuid\r\nDiscord Nitro Checker\r\nToken Grabber\r\nhttps://github.com/nightfallgt/nitro-ransomware\r\nPage 2 of 3\n\nIP Grabber\r\nDiscord Webhook Logs\r\nUsage\r\n1. Make sure you have Visual Studio 2019 with C# installed. (.NET Desktop Development)\r\n2. Open NitroRansomware.sln , then open Program.cs .\r\n3. Pase your webhook link next to WEBHOOK .\r\n4. You can change the decryption key too, if you want. DECRYPT_PASSWORD\r\n5. Click on release, then build the solution. Do NOT run it, because it is malware and may encrypt your files.\r\n6. You can now test it in a protected environment such as a virtual machine.\r\nSource: https://github.com/nightfallgt/nitro-ransomware\r\nhttps://github.com/nightfallgt/nitro-ransomware\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/nightfallgt/nitro-ransomware"
	],
	"report_names": [
		"nitro-ransomware"
	],
	"threat_actors": [
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434675,
	"ts_updated_at": 1775791597,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/838b10804c5a3f4a665269e6df650e7095b11006.pdf",
		"text": "https://archive.orkl.eu/838b10804c5a3f4a665269e6df650e7095b11006.txt",
		"img": "https://archive.orkl.eu/838b10804c5a3f4a665269e6df650e7095b11006.jpg"
	}
}