Ransomware payments drop to $9.99

Edward Kost
Edward Kost
April 19, 2021

The average online ransom price in 2020 was $312,439 - a 3x increase from 2019 - and it’s expected to surge further upwards in 2021. But a certain ransomware gang, known as NitroRansomware, has applied a generous discount to this pricing, charging victims only $9.99 to decrypt their seized data.

The small ransom amounts aren’t paid in cash or Bitcoin; they’re subscription upgrades for the instant messaging solution Discord.

Like most successful SaaS products, Discord converts website visitors into paying customers by utilizing a freemium model - a marketing strategy where a basic product is offered for free, but money is charged for feature upgrades.

By upgrading to Discord’s paid subscription “Nitro” you’ll benefit from HD video streaming, larger file uploads, two server boosts, and enhanced emojis. Nitro upgrades can also be purchased as gift cards for friends.

Discord Nitro
Nitro is Discord's paid subscription product - Source: discord.com

Not a bad offering for only $9.99 a month.

But to one thrifty group of cybercriminals, this pricing was unacceptable.

Unwilling to forsake their frugality, NitroRansomware established a ransomware deployment workflow to benefit from the enhanced functionality of the Nitro product without spending a dime.

The malicious sequence starts with a seemingly innocuous offer of a free Nitro code generator - ironically targeting avaricious victims that also want to upgrade to Nitro without paying for it.

Once the fake tool is installed, the ransomware is deployed, and the encryption process begins. A changed wallpaper showing an angry Discord logo marks the encryption as complete.

Angry Discord wallpeper changed marks successful NitroRansomware cyberattack - Source: bleepingcomputer.com

Then, an eerie ransomware message is displayed, demanding the submission of a purchased Nitro gift code within 3 hours in exchange for a complete reversal of the damage. 

Nitroransomware message
NitroRansomware message - Source: bleepingcomputer.com

All submitted Nitro gift code URLs are verified using the Discord API URL. Once verified the decryption process is initiated.

Besides personal file encryption, NitroRansomware performs additional malicious activities, such as stealing a victim’s Discord tokens and attempting remote access to execute foreign commands.

But NitroRansomware’s backdoor is rudimentary, and its decryption key is terribly hidden, so users could decrypt their files without succumbing to the ransom demands. 

This suggests that the ransomware was developed in haste, possibly as more of an entertaining experiment rather than a serious threat - a window into the concerning proficiency of ransomware development.

How secure is Discord?

Discord is a VoIP, instant messaging and digital distribution platform. Users communicate with voice calls, video calls, text messaging, media, and files in private chats.
  • Check icon
    View our free preliminary report on Discord’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating