GOG Ransomware

The GOG Ransomware has nothing to do with the GOG.com store for DRM-free games and goodies. The GOG Ransomware is named after an image that says 'THE GOG RANSOMWARE,' which was found in the resource section of its primary executable. The GOG Ransomware was reported in the last days of December 2016 and appears to be yet another crypto-threat. Cyber security analysts note that the GOG Ransomware is not a unique threat and its functionality is rather straightforward.

Spam Emails Carrying Trusted Logos Disperse the GOG Ransomware

The GOG Ransomware is installed on computers via spam emails loaded with corrupted text documents. Samples recovered from phishing emails suggest the distribution campaign for the GOG Ransomware includes logos from banking institutions, social media, online stores and NGOs. Computer users that allow a macro from untrusted source to run on their PCs may encounter the welcoming screen of the GOG Ransomware on the next system reboot. The GOG Ransomware uses a combination of the RSA and AES ciphers to handle the encryption process and can lock data stored locally and on removable media such as memory cards, USB thumb drives and media players. The encryption procedure starts by building a list of data containers that are associated with presentations, text, eBooks, spreadsheets and images. As you may guess, the next step is to encipher the content of the data containers so that it is unreadable.

A Locky-Inspired Ransomware that Does not Introduce Innovations

The GOG Ransomware appears to be inspired by the Locky Ransomware considering the ransom demands are styled similarly, and the GOG Ransomware appends the '.locked' extension to the name of enciphered objects. For example, 'Prunus serrulata.pptx' is transformed to 'Prunus serrulata.pptx.locked' and you are presented with the ransom note 'DecryptFile.txt' in the Notepad. When 'DecryptFile.txt' is loaded on your screen, third-party programs you had opened may be minimized. The message in 'DecryptFile.txt' reads:

'WARNING!!!
@ NOT YOUR LANGUAGE? USE https://translate.google.com
@ What happened to your files?
@ All of your files were protected by a strong encryption with RZA4096
@ More information about the encryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
@ How did this happen?
@ Specially for your PC was generated personal RZA4096 Key, both publik and private.
@ ALL YOUR FILES were en-Crypted with the publik key, which has been transferred to your computer via the Internet.
@ Decrypting of your files is only possible with the help of the privatt key and de-crypt program, which is on our Secret Server
@ What do I do?
@ So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!, and restore
your data easy way
@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment'

The Bitcoin Remains the Favorite Currency for Doing Business with Ransomware

The notification includes instructions on how to install the TOR Browser, access the payment portal and manage Bitcoins. The private decryption key and program to unlock the '.locked' files are offered in exchange for 0.3 Bitcoin, which you can buy for 328 USD/313 EUR. We do not encourage paying for the decryptor because the team behind the GOG Ransomware is not obliged to help you recover your files. There is a slight chance that they may send you a decryptor and there is a greater probability you are forwarded another Trojan instead. Ransomware operators can sell collected data for an excellent price on underground forums. Instead, you may want to use backup images to recover your data and run a reputable anti-malware solution that can eradicate the GOG Ransomware hassle-free.