It's not every day that you get a glimpse into what a malware program looks like before it's completed, but today, we get to see two. The ElGato ransomware for Android and the Hitler-Ransonware (yes, that's the real spelling) for Windows channel two things the Internet loves discussing: cats and Adolf Hitler.
They then leverages those memes to encrypt your files and demand a ransom. Or, at least, they would, if they were finished.
McAfee Labs discovered ElGato "running on a legitimate cloud server provider," which it would not name, since it wanted to give the company a chance to clean up its act. ElGato can encrypt files, steal text messages and lock users out of their own devices. Said users might not notice, however, because whenever it locks a phone, it displays a picture of a cuddly cat mid-yawn.
The good news, if getting a piece of malware can be good news, is that the ElGato ransomware appears to be very much a work-in-progress. At present, there's no actual ransom. Furthermore, although the program has the capacity to encrypt files, it doesn't actually do so. McAfee researchers were even able to tap into the program's own servers, ironically enough, because they are not encrypted.
McAfee theorizes that ElGato isn't meant to be a fully functional ransomware package, but rather a demo for something that malefactors could buy as part of an exploit kit. Either way, a good Android antivirus program will quash it.
What's more embarrassing than a piece of ransomware that doesn't do anything? Perhaps it's one that does something really weak. AVG malware analyst Jakub Kroustek discovered the Hitler-Ransonware: a Nazi-worshipping malicious program that can't even spell its own name right. Worse still: It doesn't even want money. It wants a €25 Vodafone card code.
Bleeping Computer did a thorough write-up of the malicious(ish) software, which doesn't appear to be ready for prime time. In addition to its silly ransom request, a batch file, written in shaky German, reads "This is a test" and "Hello world." ("Hello world" is usually the first thing a programmer writes when he or she learns a new coding language.)
The worst part, though, is that the program doesn't even encrypt anything. Instead, it deletes the extensions for a user's files, shows a lock screen, and demands its paltry wergild. An hour later, the computer crashes, then deletes all files in a user’s %UserProfile% folder. This usually includes My Documents and whatever pictures and music you keep there.
Kroustek didn't mention where he came across this malware-in-progress, so users are probably safe from it, for now. Even if they weren't, though, all they'd need to do is uninstall the program and recover their deleted files. Undeleting files can be a pain in the butt, but it's not difficult to do.
Ransomware is usually one of the most pernicious and dangerous types of malware, but these two programs illustrate that it's not scary at all when defanged. Maybe someday they'll be real scourges of the internet, but until then, a good antivirus program will keep them at bay, same as any other run-of-the-mill malicious software.