Hitler-Ransomware is a crude Windows ransomware-like malware discovered in 2016 by AVG malware analyst Jakub Kroustek. It is also misspelled in its lock screen as "Hitler-Ransonware" and reporting assessed it as an immature test or prototype variant, with embedded German-language text such as "Das ist ein Test" suggesting possible German origin or a German-speaking author. The malware displays a lock screen featuring Adolf Hitler, falsely claims the victim's files were encrypted, and demands payment via a 25 Euro Vodafone card within one hour.
Despite its claims, the malware does not encrypt files. Instead, it removes file extensions from files in user-accessible directories including %userprofile%\Pictures, Documents, Downloads, Music, Videos, Contacts, Links, and Desktop, as well as sample media folders under C:\Users\Public. Analysis described the main executable as a batch file converted into an installer executable. On execution it extracts chrst.exe, ErOne.vbs, and firefox32.exe into a temporary folder under %Temp%. ErOne.vbs displays the message "The file could not be found!" to mislead the victim, and firefox32.exe is copied into the Windows Common Startup folder for persistence at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe.
The malware starts a one-hour countdown and displays the lock screen. When the timer expires, it terminates csrss.exe, causing Windows to crash with a BSOD or hang until reboot. After reboot and login, the persisted firefox32.exe component deletes files under the victim's %UserProfile% directory. While active, it also monitors for and terminates taskmgr, utilman, sethc, and cmd to hinder user intervention. Reporting compared the threat to Ranscam because it pretends to encrypt data while actually destroying it. High-confidence associated files include %Temp%[folder].tmp\chrst.exe, %Temp%[folder].tmp\ErOne.vbs, %Temp%[folder].tmp\firefox32.exe, and the Startup-folder copy of firefox32.exe.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
The ErOne.vbs script is now executed, which will display an alert stating "The file could not be found!". This alert is shown simply to make the victim think that the program did not work correctly.
After that hour it will crash the victim's computer, and on reboot, delete all of the files under the %UserProfile% of the victim.
"WannaCry ransomware attack"; "CryptoLocker"; "TeslaCrypt"; "KeRanger"; "Hidden Tear"; "Jigsaw (ransomware)"; "Atlanta government ransomware attack"; "2019 Baltimore ransomware attack"; "FBI MoneyPak Ransomware"; "Annabelle (ransomware)"; "Philadelphia (ransomware)"; "Kirk Ransomware"; "Rensenware"; "Hitler-Ransomware"
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware-themed malware that presents a Hitler lock-screen and demands a €25 Vodafone gift card. Despite claiming encryption, it instead runs a script to disassociate file types to simulate encryption; if the victim does not pay within the timer window (in the original version), it triggers a crash/BSOD and deletes files in user profile folders on reboot. Later variants include 'Hitler 2' (disguised as CainXPii) and a January 2017 'FINAL version'.
Windows ransomware test variant under development that does not actually encrypt files; instead it removes file extensions in various directories, displays a Hitler-themed lock screen with a countdown, demands payment via a Vodafone card, crashes the system with a BSOD, and upon reboot deletes files in the user profile folder.
A crude Windows pseudo-ransomware/wiper that pretends to encrypt files, displays a Hitler-themed lock screen and ransom demand, removes file extensions, crashes the system after a countdown, and deletes victim files on reboot rather than providing recovery.
Ransomware still in development that does not actually encrypt files despite claiming to. Instead, it removes file extensions in certain directories, demands a €25 Vodafone Card code, triggers a forced Windows crash after a one-hour countdown, and upon reboot deletes the user’s files.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.