A new ransomware dubbed GoZone is being leveraged by attackers that don’t seem to be very greedy: they are asking the victims to pay just $1,000 in Bitcoin if they want their files decrypted.
The ransom notes shown by the malware lay out another incentive for paying up: they claim that child sexual abuse material has been found on the targeted computer and urge the victim to pay to prevent being reported to the authorities.
The GoZone ransomware
According to SonicWall researchers, the ransomware is written in Go, and uses the Chacha20 and RSA algorithms to encrypt victims’ files, which get the .d3prU extension.
The infected computer is also innundated with ransom notes: a .txt one created in every directory where files have been encrypted as well as on the desktop; a .html one opened with the system’s default browser; and one in the form of an image, to replace the system’s wallpaper.
“The victim will be unable to change this wallpaper as the ability to update the background settings has now been disabled by the ransomware,” the researchers have discovered.
Aside from encrypting files, the ransomware has additional modular capabilities that allow it to:
- Bypass and disable User Account Control (UAC) on Windows systems
- Overwrite the system’s master boot record (MBR)
- Hamstring the System Restore tool
In short, if victims don’t have a backup of their files that’s not located on the affected system, they are likely to lose them for good. Paying the ransom is not a reliable option, as the threat actor may not share the decryption key or the key might not work.
And it seems that the victims know this: The Bitcoin address provided by the threat actor for payments (bc1qwemkeh2vu5ftzgat3sk87gr4mlskw898xd6tk5) has a short transaction history that includes no transactions made in the last few months. However, this is a new threat and the situation might change.
