GoCryptoLocker Ransomware Description
Cybersecurity experts have uncovered a brand-new file-locking Trojan, which has been dubbed the GoCryptoLocker Ransomware. Ransomware threats are rather nasty Trojans as they would lock all your data and extort you for money.
Propagation and Encryption
Mass spam emails are one of the most popular propagation methods in regard to the distribution of ransomware threats. The targeted users would receive a fake email that contains a corrupted attachment and a fraudulent message that attempts to convince them to launch the attached file. However, spam emails are not the only means of propagating data-locking Trojans. Some of the other commonly used tricks are malvertising campaigns, fake software updates, downloads, torrent trackers, bogus copies of popular applications, etc. When the GoCryptoLocker Ransomware manages to compromise your computer, it will scan it to locate all the files present on the system. Next, the GoCryptoLocker Ransomware would apply an encryption algorithm to lock the targeted data securely. The GoCryptoLocker Ransomware is likely going to encrypt all the images, documents, audio files, spreadsheets, archives, databases, videos, presentations, and other filetypes that can be found on your computer. Once the GoCryptoLocker Ransomware locks a file, it also changes its filename by adding a new extension – ‘.GEnc.’ This means that a file called ‘large-mug.pdf’ originally will be renamed to ‘large-mug.pdf.GEnc.’
The GitHub Problem
GitHub has become a treasure trove of free software, including some more malicious programs. Malware such as GoCryptoLocker takes advantage of people looking for some good software. Several threat actors upload their code on to GitHub to either share it with their contemporaries or test its capabilities. GoCryptoLocker appears to have been used for the second purpose, with the threat actor testing how sustainable it would be for ransoming files.
GoCryptoLocker targets Windows computers using AES and RSA encryption, just like any other RaaS attack. The ransomware also targets a relatively arbitrary list of file types, including documents, pictures, and exe files. One little caveat to note is that the ransomware has a cap on file size that prevents it from wasting too much time encrypting particularly large files.
The Trojan changes the file extension of infected files to include ‘GEnc’ after the regular file extension. One of the most interesting things about the GoCryptoLocker ransomware is that it doesn’t use the standard text file ransom note other malware does. Instead, it displays a popup message instead. Users have the option of entering a password into the popup, and entering the correct password unlocks the encryption.
The Ransom Note
The ransom note associated with the GoCryptoLocker Ransomware would appear in a new window on the user’s system. The victim would be asked to fill in a password. Since there is no mention of a ransom fee and no means of communication have been provided, it is likely that this may be a project built for the entertainment of its authors entirely. This means that it is not likely that the GoCryptoLocker Ransomware would be distributed actively and may not target regular users. However, this ransomware threat is fully capable of encrypting files, so it should not be written off entirely.
The GoCryptoLocker Note reads like the following:
Hello, your files has been encrypted!
Hello, you files has been encrypted!
The samples observed by security researchers suggest the threat actor behind GoCryptoLocker is preparing to convert it into a “real” campaign and is in the process of developing a more deleterious variant.
The popup window contains a smaller popup that displays a text message. The message tells victims that their files are encrypted. The main window has the same message and includes a field for people to enter the decryption password. Ransom notes are nothing new with ransomware, but they often have more information than this. At the least, a ransom note would contain contact information for people to learn how much they have to pay – and how to make the payment. The fact that GoCryptoLocker lacks this information leads experts to believe that the ransomware is still being tested and is in the development phase. The actual launch of the ransomware will include ransom demands.
Unfortunately, it is almost always impossible to decrypt ransomware without intervention from the criminals behind it. It may be possible if the ransomware has flaws that can be exploited. Security experts recommend against paying the ransom either way, as there is no guarantee that the attackers will live up to their end of the bargain. More often than not, people have their money stolen without having their data decrypted.
The only way to safely and effectively recover your lost files is by restoring from a backup. Be sure to remove any traces of GoCryptoLocker first to prevent your files from getting encrypted again.
Stop GoCryptoLocker In Its Tracks
GoCryptoLocker is currently only on Windows, but that could change. The virus is programmed with Golang, which is compatible with Linux and macOS as well. Malware researchers are yet to see the virus active in the wild, but still, recommend treating GoCryptoLocker like an active threat. Infection vectors such as spam emails, unofficial updates, and torrents should be handled carefully by computer users to avoid GoCryptoLocker.
The password used for the unmodified version is “qwerty123,” but this is likely to change in future releases. Given how easy it is to change passwords, users should consider taking steps to protect their important documents and other files even if they aren’t worried about the ransomware. Take the time to create backups of your most sensitive data.
If you fall victim to a ransomware threat, it is not wise to cooperate with the attackers as they often fail to keep their promises. Make sure your computer is protected from threats by investing in a reputable anti-virus solution.