Gollum Ransomware
PC security researchers uncovered the Gollum Ransomware, an encryption ransomware Trojan, on July 11, 2018. The Gollum Ransomware is a variant of other ransomware Trojans that have been seen before. The Gollum Ransomware is delivered to victims through the use of spam email messages, like many previous variants of these threats. Commonly, these email messages will trick the victim into opening an email attachment claiming to be associated with a legitimate sender such as Amazon or PayPal. The Gollum Ransomware will be downloaded and installed onto the victim's computer by macro scripts when the file attachment is opened.
How the Gollum Ransomware Attack Works
Once the Gollum Ransomware has been installed onto the victim's computer, it will take the victim's files hostage. To do this, the Gollum Ransomware will use the AES and RSA encryptions to make the victim's files inaccessible. The Gollum Ransomware will target the user-generated files, which may include numerous media files, document types, backups and other file types. Some examples of the numerous file types that threats like the Gollum Ransomware will target in their attacks include:
.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.
The Gollum Ransomware will mark the files encrypted by the attack by adding the file extension '.encrypted' to their original names. The Gollum Ransomware also will make alternate recovery methods unusable, apart from encrypting the victim's files. The Gollum Ransomware will remove the Shadow Volume Copies of the victim's files and also will delete the System Restore points. The Gollum Ransomware will deliver a ransom note to the victim once the victim's files have been encrypted. The Gollum Ransomware's ransom note is contained in an HTML file named 'ransom_pay.html' and in a TXT file named 'ransom_note.txt.' Both of them contain the same message, which reads as follows:
'MOST OF YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED BY AES 256-CBC AND RSA 2048!
well, if you want to restore all your files you should
send 0,05000000 BTC to the next bitcoin address as you see below
[1352RtNRpYRdKLWUUDklBUKP7p4SqMAiTF]
until [a string with a set date and hour] (UTC)'
Dealing with the Gollum Ransomware
The Gollum Ransomware ransom is 300 USD approximately at the current exchange rate. Regardless of the affordable ransom asked by the Gollum Ransomware, it shouldn't be paid. Nothing can guarantee that the criminals will help the victims recover their files after the attack, and they may even target the victim for additional infections since the victim will have showed a willingness to pay the ransom. The best protection against threats like the Gollum Ransomware is to have file backups stored on the cloud. Malware researchers advise computer users to store backup copies of their files on external memory devices or cloud services, to allow computer users to recover from attacks like the Gollum Ransomware by deleting the compromised files and then replacing them with backup copies.
