Home / Capital & Crypto / Evil Bitcoin Ransomware Won’t Return Your Data – Even After You Pay

Evil Bitcoin Ransomware Won’t Return Your Data – Even After You Pay

Last Updated March 4, 2021 2:39 PM
Mark Emem
Last Updated March 4, 2021 2:39 PM

An insidious new strain of Bitcoin ransomware adds insult to injury for its unfortunate victims, as it refuses to restore access to your data – even after you fork over the ransom payment.

The malware, GermanWiper, tells victims it has encrypted their data, when in reality it has erased it completely. It then demands 0.15038835 BTC (approximately $1,750) under the pretext of offering victims a chance to get their data back.

The operating strategy of the GermanWiper Bitcoin ransomware


Bleeping Computer  reports that GermanWiper has, to date, primarily affected Microsoft Windows users in Germany.

GermanWiper uses a devious phishing campaign to target and infect business computers. The hackers package the malware in emails that appear to be from job applicants.

On the Bleeping Computer forums , some of those who have encountered the Bitcoin ransomware indicated that the phishing emails look like serious and highly professional job applications – complete with perfect grammar and spelling:

“My ‘customer’ was expecting job applications, as they had an advert posted with the ‘Bundesagentur für Arbeit’ (aka Jobcenter) and from what I have gathered from the Internet other victims also had jobs to offer. Pictures and other info was stolen from Xing it would seem. The grammar and spelling was good, and everything seemed in order. So no chance for the regular user to avoid this trap.”

The devil is in the zipped folder

One particular case involves a job applicant named Lena Kretschmer who is sending emails bearing subject: “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer.”

The email also contains an attachment with the .zip extension. Upon extracting the zipped file, two files bearing resembling PDF documents appear. However, these are not PDF files but rather shortcuts which launch a series of events that download and install the malware.

But unlike most ransomware, which encrypts victim data until they pay a specified amount of Bitcoin into a hacker-controlled address, GermanWiper erases the data completely  by overwriting the content with zeroes and ones.

Bitcoin ransomware GermanWiper
GermanWiper overwrites data, making recovery impossible | Source: BleepingComputer.com

Bitcoin ransomware spares critical functions

GermanWiper is not deleting all user data, though, and some files and folders are spared – especially those that are necessary for the proper booting of Windows OS and the browsing of the internet.

Since there is no chance of recovering the destroyed data, GermanWiper victims shouldn’t even think about sending any Bitcoin to the hackers.