The average online ransom price in 2020 was $312,439 - a 3x increase from 2019 - and it’s expected to surge further upwards in 2021. But a certain ransomware gang, known as NitroRansomware, has applied a generous discount to this pricing, charging victims only $9.99 to decrypt their seized data.
The small ransom amounts aren’t paid in cash or Bitcoin; they’re subscription upgrades for the instant messaging solution Discord.
Like most successful SaaS products, Discord converts website visitors into paying customers by utilizing a freemium model - a marketing strategy where a basic product is offered for free, but money is charged for feature upgrades.
By upgrading to Discord’s paid subscription “Nitro” you’ll benefit from HD video streaming, larger file uploads, two server boosts, and enhanced emojis. Nitro upgrades can also be purchased as gift cards for friends.
Not a bad offering for only $9.99 a month.
But to one thrifty group of cybercriminals, this pricing was unacceptable.
Unwilling to forsake their frugality, NitroRansomware established a ransomware deployment workflow to benefit from the enhanced functionality of the Nitro product without spending a dime.
The malicious sequence starts with a seemingly innocuous offer of a free Nitro code generator - ironically targeting avaricious victims that also want to upgrade to Nitro without paying for it.
Once the fake tool is installed, the ransomware is deployed, and the encryption process begins. A changed wallpaper showing an angry Discord logo marks the encryption as complete.
Then, an eerie ransomware message is displayed, demanding the submission of a purchased Nitro gift code within 3 hours in exchange for a complete reversal of the damage.
All submitted Nitro gift code URLs are verified using the Discord API URL. Once verified the decryption process is initiated.
Besides personal file encryption, NitroRansomware performs additional malicious activities, such as stealing a victim’s Discord tokens and attempting remote access to execute foreign commands.
But NitroRansomware’s backdoor is rudimentary, and its decryption key is terribly hidden, so users could decrypt their files without succumbing to the ransom demands.
This suggests that the ransomware was developed in haste, possibly as more of an entertaining experiment rather than a serious threat - a window into the concerning proficiency of ransomware development.