GOG Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 5 |
First Seen: | January 4, 2017 |
Last Seen: | December 19, 2019 |
OS(es) Affected: | Windows |
The GOG Ransomware has nothing to do with the GOG.com store for DRM-free games and goodies. The GOG Ransomware is named after an image that says 'THE GOG RANSOMWARE,' which was found in the resource section of its primary executable. The GOG Ransomware was reported in the last days of December 2016 and appears to be yet another crypto-threat. Cyber security analysts note that the GOG Ransomware is not a unique threat and its functionality is rather straightforward.
Table of Contents
Spam Emails Carrying Trusted Logos Disperse the GOG Ransomware
The GOG Ransomware is installed on computers via spam emails loaded with corrupted text documents. Samples recovered from phishing emails suggest the distribution campaign for the GOG Ransomware includes logos from banking institutions, social media, online stores and NGOs. Computer users that allow a macro from untrusted source to run on their PCs may encounter the welcoming screen of the GOG Ransomware on the next system reboot. The GOG Ransomware uses a combination of the RSA and AES ciphers to handle the encryption process and can lock data stored locally and on removable media such as memory cards, USB thumb drives and media players. The encryption procedure starts by building a list of data containers that are associated with presentations, text, eBooks, spreadsheets and images. As you may guess, the next step is to encipher the content of the data containers so that it is unreadable.
A Locky-Inspired Ransomware that Does not Introduce Innovations
The GOG Ransomware appears to be inspired by the Locky Ransomware considering the ransom demands are styled similarly, and the GOG Ransomware appends the '.locked' extension to the name of enciphered objects. For example, 'Prunus serrulata.pptx' is transformed to 'Prunus serrulata.pptx.locked' and you are presented with the ransom note 'DecryptFile.txt' in the Notepad. When 'DecryptFile.txt' is loaded on your screen, third-party programs you had opened may be minimized. The message in 'DecryptFile.txt' reads:
'WARNING!!!
@ NOT YOUR LANGUAGE? USE https://translate.google.com
@ What happened to your files?
@ All of your files were protected by a strong encryption with RZA4096
@ More information about the encryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
@ How did this happen?
@ Specially for your PC was generated personal RZA4096 Key, both publik and private.
@ ALL YOUR FILES were en-Crypted with the publik key, which has been transferred to your computer via the Internet.
@ Decrypting of your files is only possible with the help of the privatt key and de-crypt program, which is on our Secret Server
@ What do I do?
@ So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!, and restore
your data easy way
@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment'
The Bitcoin Remains the Favorite Currency for Doing Business with Ransomware
The notification includes instructions on how to install the TOR Browser, access the payment portal and manage Bitcoins. The private decryption key and program to unlock the '.locked' files are offered in exchange for 0.3 Bitcoin, which you can buy for 328 USD/313 EUR. We do not encourage paying for the decryptor because the team behind the GOG Ransomware is not obliged to help you recover your files. There is a slight chance that they may send you a decryptor and there is a greater probability you are forwarded another Trojan instead. Ransomware operators can sell collected data for an excellent price on underground forums. Instead, you may want to use backup images to recover your data and run a reputable anti-malware solution that can eradicate the GOG Ransomware hassle-free.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.