Goose Ransomware

The Goose Ransomware, as its name suggests, falls in the category of malware threats known as ransomware. These threatening tools are created with the purpose of running an encryption routine on compromised devices, leaving users unable to access their own personal or business-related files. Naturally, ransomware threats aim to affect as many different files as possible, while not putting the overall stability of the system in danger. While the Goose Ransomware shares most of the typical characteristics observed in ransomware threats, it also deviates quite a lot.

First, during its encryption process, the Goose Ransomware doesn't modify the original names of the locked files in any way, leaving them completely intact. This is contrary to the behavior of most ransomware threats that either append their own unique file extension or even include an email address or a victim's ID string to the names of the encrypted files. Another peculiar characteristic of the Goose Ransomware is that it encrypts a very small portion of the files stored on the infected system with the majority of the affected files being found on the Desktop of the device.

Ransom Note's Details

The ransom-demanding message delivered by the Goose Ransomware will be shown to users inside a new pop-up window. The window contains the instructions from the attackers, an image of a goose, and a button labeled 'Decrypt.' According to the message, victims can restore their data by paying the attackers a ransom of exactly $50. However, the sum must be transferred using the Bitcoin cryptocurrency.

To receive additional payment details, such as the crypto-wallet address to which the money should be sent, affected users are expected to contact the email address of the hackers - 'skabl*t.hardbas@gmail.com.' Using Gmail is unusual for ransomware operators, as Google is quite effective in shutting down their accounts due to illegal activity. The various atypical actions of the threat, the use of Gmail, and the relatively small ransom could point towards the current Goose Ransomware version being released for test purposes.

The full text of the ransom note is:

'Your files have been encrypted by the goose ransomware!

What happend to my computer?

All your personal files have been encrypted with a strong algorithm.
There is no way to restore your files without our decryption service.

How can I decrypt my files?

It is easy.
You just need to contct us at this email-address: 'skabl*t.hardbas@gmail.com'.
Enter this personal idetification code as title of your message: 'Y35 - 90m- X23'.
You need to pay 50$ in bitcoin to unlock your files.
It can take a few hours for us to respond.
We will give you our wallet id for the transaction.
After you sended us the bitcoins, write us an email with your transaction id.
If you don't know how to buy bitcoins, google it.

[DECRYPT]'