GameOver Ransomware
The GameOver Ransomware Trojan was classified under the crypto-threat category on july 18th, 2018. Computer security researchers acquired samples of the GameOver Ransomware project from an open security platform and reported that there is no distribution campaign (at least at the time of writing). However, the threat is very likely to be distributed via spam emails and compromised remote desktop connections. The GameOver Ransomware has similarities to the HiddenTear open-source ransomware but more research is needed to confirm if it is a heavily modified version or not. Lab tests showed that the GameOver Ransomware encodes data on the local disks and remove the Shadow Volume snapshots before deleting its infrastructure and leaving a ransom note to the users. The GameOver Ransomware is observed to encode the following data formats:
.3g2, .3gp, .asf, .asx, .avi, .flv, .m2ts, .mkv, .mov, .mp4, .mpg, .mpeg, .rm, .swf, .vob, .wmv, .docx, .pdf, .rar, .jpg, .jpeg, .png, .tiff, .zip, .7z, .tar, .gz, .tar, .mp3, .sh, .c, .gif, .txt, .py, .pyc, .jar, .sql, .bundle, .sqlite3, .html, .php, .log, .pptx, .xlsx, .ppt, .accdb, .pub, .js, .bat, .vbs, .jse, .vbe, .cs, .vbproj, .csproj, .htm, .rpa, .pyo, .pyd, .db, .cpp, .cmd, .ocx, .sln, .vb, .sb2, .asm, .aes, .der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .sxc, .stc, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .xdata, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlitedb, .sql, .mdp, .dbf, .odp, .frm, .myd, .myi, .ibd, .mdf, .lbd, .suo, .pas, .dip, .dch, .sch, .brd, .wma, .mid, .midi, .djvu, .svg, .nef, .cgm, .raw, .vcd, .iso, .backup, .bak, .tbk, .PAQ, .ARC, .gpg, .vmx, .vdmk, .vdi, .sldm, .s1dx, .sti, .sxi, .hwp, .snt, .ppsx, .ppsm, .pps, .pot, .pptm, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xls, .dotx, .dot, .docm, .docb, .doc, .onetoc2, .dwg, .wks, .csv, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .wncry.
The affected files are marked with the '.gameover' string, which is added after the original file extension. For example, 'Joseph William Morgan-Binary Pursuit.mp4' is renamed to 'Joseph William Morgan-Binary Pursuit.mp4.gameover.' Windows do not recognize the files marked with '.gameover' and they are represented by generic white icons. The team behind the GameOver Ransomware does not appear to offer a decryptor considering that the following message is shown on the desktop of the affected users:
'GameOver Virus
If you see this banner then all of your files on your harddisk have been encrypted with a very powerful algorithm.
WARNING!: THIS IS NOT SOME STUPID JOKES, EVERYTHING IS REAL ! !
You cannot restore your data by youself and especially decrypt it if you do so you can corrupt and destroy all of your data or even more, also if you try to delete the software your OS will be corrupted.
But if you want to retore at least your PC, you need to do this:
1: Reinstall windows or other OS on your computer
2: Get a better version of your antivirus or get a more powerful antivirus software.
If you want to get back your device do everything as it has been written.
GameOver Virus'
Samples of the GameOver Ransomware have been found to run as 'Project.GameOver.X.exe,' which provided researchers with the basis for its name. Due to the way the threat works, you can't restore the encrypted data. The only way to recover from the attack is to eliminate the Trojan and load copies of your old files. Unfortunately, the GameOver Ransomware behaves more like a Data Wiper than a standard cryptor. You should add a good backup manager to counter threats like GameOver Ransomware and remedy unfortunate system crashes potentially. The following tags are used by AVs to mark related objects:
- Generic.Ransom.WCryG.DADAEB97
- MSIL/Filecoder.NU!tr
- TR/Ransom.dhtfz
- TROJ_GEN.R00AC0OGE18
- Trojan ( 00534d121 )
- Trojan.Win32.Generic!BT
- W32.Ransom.Gen
- W32/GenBl.B45A159C!Olympus
- a variant of MSIL/Filecoder.NU
- malicious_confidence_100% (W)
