Dr.Web creates decrypter to help victims

Oct 13, 2016 01:20 GMT  ·  By

The first ever ransomware variant detected written in Google's Go programming language isn't the success its authors hoped to be, with researchers cracking its encryption and releasing a free decrypter.

Detected under the generic name of Trojan.Encoder.6491, this ransomware variant appeared only three days ago.

According to Dr.Web, an antivirus maker based in Russia, the ransomware is currently spread via a file named Windows_Security.exe, most likely masquerading as a Windows Security update, just ahead of this month's Patch Tuesday.

Trojan.Encoder.6491 uses an encryption scheme that relies on the AES algorithm and targets to encrypt 140 file types while also avoiding core Windows directories so not to mess up the target's PC.

You can spot Trojan.Encoder.6491 by the way it renames files after it encrypts them. The ransomware takes a file named photo.png and encodes its name using the Base64 algorithm, appending the ENC extension at the end of the file as such: cGhvdG8=.enc.

The good news is that Dr.Web researchers spotted encryption flaws in the ransomware's operation and created a decrypter that can recover locked files without paying the ransom. The bad news is that this decrypter will be available to Dr.Web paying customers only.

In an extreme case of irony, both the ransomware's fee and a Dr.Web license are about the same, which is around $30, but if you're smart, you'll buy Dr.Web security products via Softpedia, for which we're currently running 60% discounts for several products.

Trojan.Encoder.6491 ransom note
Trojan.Encoder.6491 ransom note

Photo Gallery (2 Images)

Researchers crack first-ever Go-based ransomware
Trojan.Encoder.6491 ransom note
Open gallery