Discord Ransomware Uses Gift Codes As Payment

You are currently viewing Discord Ransomware Uses Gift Codes As Payment

A new and novel Ransomware attack vector is targeting Discord users, according to cybersecurity researchers at MalwareHunterTeam. The ransomware calls itself ‘NitroRansomware,’ and instead of the usual dollar payment, the ransomware takes payment in the form of Discord Nitro gift codes. Discord is a VoIP, instant messaging, and digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media, and files in private chats or as part of communities called “servers.”. While Discord is free, they offer a Nitro subscription add-on for $9.99 per month that provides additional perks, such as larger uploads, HD video streaming, enhanced emojis, and the ability to boost your favorite server. Hence, its users enjoy extra functionality as well.

When buying a Nitro subscription, a user can apply to their own account, or gift it to another Discord user. This allows Nitro subscriptions to work in a manner similar to Amazon and Steam gift cards, as well as other popular digital gift cards used by various platforms.

Gifting a Discord Nitro Subscription

Nitro subscriptions are valuable to the Discord community, not just because of their inherent monetary value but because of the extra functionality it gives to users.

As with any service, there is a sub-section of users always looking out on how to game the system, and get Nitro for free.

This where the attack vector for NitroRansomware comes into play. These users are often on the lookout for Nitro code generators, often downloaded as .exe files. Many of these fail to produce working Nitro codes, but some may have a worse consequence. In this case, NitroRansomware masquerades as a Nitro code generator. Essentially, a user will download a nitro code generator and run the .exe, immediately installing NitroRansomware onto their machine.

When the user runs the .exe, their files will be encrypted by the ransomware with the .givemenitro extention. Their desktop wallpaper will change to an ‘angry’ version of the Discord mascot.

Wallpaper changed to the angry discord discord logo

A ransomware screen will then be displayed demanding a free Nitro gift code within three hours, or ransomware will delete the victim’s encrypted files.

NitroRansomware Ransom Screen

The user at this point will need to enter a discord nitro giftcode to decrypt their files.

As well as encrypting the victims’ device, NitroRansomware will also steal their Discord tokens. Discord tokens are authentication keys tied to a particular user, that when stolen, allow a threat actor to log in as the associated user. If the hacker gets access to the victims’ discord, they could easily attempt to propagate the virus further using social engineering.

As part of this process, the malware will also attempt to steal data from Google Chrome, Brave Browser, and Yandex Browser. 

Gift Cards Are Common Currency For Hackers

Gift cards as payment in cybercrime are not unheard of. One of the earliest uses of gift cards was for money laundering, especially with iTunes gift cards. A victim would be convinced to buy multiple gift cards, which went back into the criminal infrastructure which existed for reselling gift cards, laundering fake ebooks, and more.

“In February, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to Gemini Advisors. These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart.” noted researchers at Threatpost.

These gift cards were worth a sum of around $38,000. However, bidding wars for hot gift cards never reach the full amount and are often listed at a highly discounted ‘Buy Now’ price instead.

“Typically, compromised gift cards sell for 10 percent of the card value in the Dark Web; however, the 895,000 cards offered from the breach were priced at roughly 0.05 percent of the card value,” according to Gemini, in an early April report. This discrepancy likely means the gift cards were potentially carrying low balances, it added.

When it comes to monetization, cybercriminals basically have two options, according to Gemini: Purchase actual goods and resell them; or sell the cards to a third-party gift card marketplace as in the example above.

“In one scheme, cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool (a carding marketplace),” according to the report. “If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.”

Discord NitroRansomware Analysis


Much of this analysis was carried out by MalwareHunterTeam and BleepingComputer.

As stated earlier, the virus will encrypt all files with the .givemenitro extension.

Encrypted Files

When a user enters a Nitro gift code URL, the ransomware will verify it using a Discord API URL, as shown below. If a valid gift code link is entered, the ransomware will decrypt the files using an embedded static decryption key.

As the decryption keys are static and are contained within the ransomware executable, it is possible to decrypt the files without actually paying the Nitro gift code ransom.

Therefore, if you fall victim to this ransomware, you can share a link for the executable to extract a decryption key. However, this will not protect you from the virus’ token-stealing capability.

When NitroRansomware starts, it will search for a victim’s Discord installation path and then extract user tokens from the *.ldb files located under “Local Storage\leveldb.” These tokens are then sent back to the threat actor over a Discord webhook.

Stealing Discord User Tokens

NitroRansomware also includes functionality to execute commands and have the output sent through the webhook to the attacker’s Discord channel. This is currently only used to get the computer’s UUID using the ‘wmic csproduct get uuid’ command.

Acting as a backdoor to send commands

At SaferNet, we have reported on many deadly ransomware strains. Nitroransomware lacks the ‘teeth’ and capability to be counted amongst them. Its ease of decryption means that the worst that the virus is capable of is stealing Authentication tokens. While it doesn’t represent a major threat at this point in time, if it is appropriately developed it could cause chaos in the Discord community.


Nitroransomware’s initial attack vector relies on the victim installed a false nitro key generator. Needless to say, users will be protected against an attack like this if they simply don’t go looking for illegal or illegitimate programs on the web. This may not be the last we’ve heard of Nitroransomware, however, and more developed iterations could seek out users who play by the rules.

What the virus shows is that hackers are constantly moving with the times, and using the most popular services to meet their ends. It is important that users move with the times too, and use up-to-date tools for their protection. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply