Security researchers from the SonicWall Capture Labs recently analyzed a ransomware called GoZone that not only encrypts files but also accuses the victim of having explicit content on their computer. It then threatens to report them to authorities if the ransom isn’t paid. This type of extortion attack often comes through unsolicited emails, making it even more insidious
GoZone ransomware is indeed written in Go and utilizes Chacha20 and RSA encryption packages. This combination of encryption methods makes it particularly robust and challenging to decrypt without the proper keys. The ransomware appends the “.d3prU” extension to encrypted files and creates ransom notes in various formats, including text files, HTML files, and even changes the desktop wallpaper to display payment instructions.
The GoZone ransomware creates a readme text file in every directory where files have been encrypted, serving as one of the ransom notes. Additionally, it generates another ransom note in the form of an HTML file, which is then opened with the user’s default browser. This multi-pronged approach ensures that the victim is well aware of the ransom demand and the consequences of not paying.
The GoZone ransomware goes to great lengths to ensure the victim sees the ransom payment instructions. It changes the desktop wallpaper to display these instructions prominently.
The QR code at the bottom of the wallpaper copies the Bitcoin address “bc1qwemkeh2vu5ftzgat3sk87gr4mlskw898xd6tk5” to the browser. Checking this Bitcoin address on the blockchain reveals only a couple of transactions
Upon further analysis, the ransomware modules show the different functionalities that this malware can employ:
- Add a scheduled task
- Disable UAC
- UAC Bypass
- Set wallpaper
- Self delete
- Overwrite MBR
- Remove system restore
Elastio says that they have recently spotted GoZone in action in enterprise cloud environments.
