GonaCry Ransomware
GonaCry is ransomware that has the ability to encrypt files, alter the filenames of the encrypted files, modify the desktop wallpaper, and leave behind a ransom note in the form of a 'read_it.txt' file. The GonaCry Ransomware appends a randomized 4-character extension to each of the encrypted filenames. For example, a file named '1.jpg' may be renamed to '1.jpg.h863,' while a file named '2.doc' could be changed to '2.doc.i9as". This naming convention helps the attackers differentiate between encrypted and unencrypted files.
An Overview of GonaCry Ransomware's Demands
The ransom note informs the victims that their operating system has been compromised by the GonaCry Ransomware, causing all files to become inaccessible. The perpetrators of the attack offer to sell specialized decryption software that they claim will restore the affected files and eliminate the ransomware.
The cost of the decryption software is priced at $50 and must be paid in Monero, a cryptocurrency. The ransom payment is to be made using the Monero crypto-wallet address provided in the attackers' instructions.
Typical Tactics Used to Distributed Threats Like the GonaCry Ransomware
Ransomware is typically spread through phishing emails, corrupted attachments and drive-by downloads. Phishing emails are messages that appear to be from a trusted source but in reality contain a corrupted link or attachment that, when opened, infects the victim's device with ransomware. Corrupted attachments are files sent as part of an email that appear legitimate but contain malware. Drive-by downloads are corrupted files that are automatically downloaded to a victim's device when they visit an infected website.
Another common method of ransomware distribution is through the exploitation of vulnerabilities in software and operating systems. Attackers use tools to search for unpatched systems and then use the found vulnerabilities to install the ransomware. Additionally, some attackers also use peer-to-peer networks and social engineering techniques to spread ransomware. In some cases, the attackers also may use other malware, such as Trojans, to install ransomware on a victim's device.
The methods used for ransomware distribution are constantly evolving, and new techniques are being developed all the time. Therefore, it's crucial to stay informed about the latest threats and take steps to protect against them, such as regularly updating software and operating systems, avoiding clicking on suspicious links or attachments and implementing strong security practices.
The content on the ransom note left on the infected devices by the GonaCry Ransomware is:
'----> GonaCry is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $50. Payment can be made in Monero only.
How do I pay, where do I get Monero?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Monero.
Many of our customers have reported these sites to be fast and reliable:
Localmonero - hxxps://localmonero.co/Payment informationAmount: 0.27 XMR
XMR Address: 48PREVmScFc9Pkga79U7tJXA7GfgtE17CqMQFeuB 3NTzJ2X28tfRmWaPyPQgvoHVhwiKUcE2QpaqBRvdhSPAF8217vH74QkThe message displayed as a desktop background is:
!! ATTENTION !!
YOUR FILES HAVE BEEN ENCRYPTED!
All of your documents photos, databases and other important files have been encrypted with RSA encryption.
You will not be able to recover your file without the private key which has been saved on our server.
An antivirus can not recover your files
Send 50$ worth of BTC to this address:
1N89GorkiuhgU9TDoN1AKxby19ntWp8ub5Or Send 50$ worth of XMR to this address:
48PREVmScFc9Pkga79U7tJXA7GfgtE17CqMQFeuB 3NTzJ2X28tfRmWaPyPQgvoHVhwiKUcE2QpaqBRvdhSPAF8217vH74Qk'
