The first ever ransomware variant detected written in Google’s Go programming language isn’t the success its authors hoped to be, with researchers cracking its encryption and releasing a free decrypter.
Detected under the generic name of Trojan.Encoder.6491, this ransomware variant appeared only three days ago.
According to Dr.Web, an antivirus maker based in Russia, the ransomware is currently spread via a file named Windows_Security.exe, most likely masquerading as a Windows Security update, just ahead of this month’s Patch Tuesday.
Trojan.Encoder.6491 uses an encryption scheme that relies on the AES algorithm and targets to encrypt 140 file types while also avoiding core Windows directories so not to mess up the target’s PC.
You can spot Trojan.Encoder.6491 by the way it renames files after it encrypts them. The ransomware takes a file named photo.png and encodes its name using the Base64 algorithm, appending the ENC extension at the end of the file, as such: cGhvdG8=.enc.
The good news is that Dr.Web researchers spotted encryption flaws in the ransomware’s operation and created a decrypter that can recover locked files without paying the ransom. The bad news is that this decrypter will be available to Dr.Web paying customers only.
In an extreme case of irony, both the ransomware’s fee and a Dr.Web license are about the same, which is around $30, but if you’re smart, you’ll buy Dr.Web security products via Softpedia, for which we’re currently running 60% discounts for several products.