- Apr 5, 2014
- 6,008
Doctor Web’s specialists have discovered the first ransomware program written in Go. The Trojan, dubbed Trojan.Encoder.6491, appends encrypted files with the .enc extension. Doctor Web’s security researchers have developed a method for decrypting files compromised by this malware program.
New versions of ransomware Trojans appear every month. What makes this Trojan notable is that it is the first ransomware program written in Go, the language developed by Google. Doctor Web’s analysts had never before come across an encoder developed using this technology. Once launched, Trojan.Encoder.6491 installs itself on the system under the name Windows_Security.exe. Then, using the AES algorithm, the Trojan starts encrypting files on disks. However, files whose names contain the following strings are not encrypted:
tmp
winnt
Application Data
AppData
Program Files (x86)
Program Files
temp
thumbs.db
Recycle.Bin
System Volume Information
Boot
Windows
.enc
Instructions
Windows_Security.exe
The Trojan encrypts 140 different types of files, identifying them according to their extensions. Trojan.Encoder.6491 encrypts original file names with the Base64 method and appends the compromised files with the .enc extension. For example, the file name Test_file.avi is changed to VGVzdF9maWxlLmF2aQ==.enc.
Then, in a browser window, the Trojan opens the file Instructions.html, which demands that a ransom be paid in the Bitcoin cryptocurrency:
It should be noted that Trojan.Encoder.6491 regularly checks the Bitcoin wallet to which the victim is to transfer the ransom amount. Once payment is made, the Trojan automatically decrypts the files, using an internal function.
New versions of ransomware Trojans appear every month. What makes this Trojan notable is that it is the first ransomware program written in Go, the language developed by Google. Doctor Web’s analysts had never before come across an encoder developed using this technology. Once launched, Trojan.Encoder.6491 installs itself on the system under the name Windows_Security.exe. Then, using the AES algorithm, the Trojan starts encrypting files on disks. However, files whose names contain the following strings are not encrypted:
tmp
winnt
Application Data
AppData
Program Files (x86)
Program Files
temp
thumbs.db
Recycle.Bin
System Volume Information
Boot
Windows
.enc
Instructions
Windows_Security.exe
The Trojan encrypts 140 different types of files, identifying them according to their extensions. Trojan.Encoder.6491 encrypts original file names with the Base64 method and appends the compromised files with the .enc extension. For example, the file name Test_file.avi is changed to VGVzdF9maWxlLmF2aQ==.enc.
Then, in a browser window, the Trojan opens the file Instructions.html, which demands that a ransom be paid in the Bitcoin cryptocurrency:
It should be noted that Trojan.Encoder.6491 regularly checks the Bitcoin wallet to which the victim is to transfer the ransom amount. Once payment is made, the Trojan automatically decrypts the files, using an internal function.
