New ransomware highlights widespread adoption of Golang language by cyberattackers

The latest version of Go is being used to prevent reverse-engineering attempts.

A new ransomware strain that utilizes Golang highlights the programming language's increasing adoption by threat actors. 

CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands.

These ransomware strains are thought to have been active since 2019 and have been linked to attacks against the maker of Cyberpunk 2077, CD Projekt Red (CDPR), as well as enterprise organizations

The sample discovered reveals similar functions to HelloKitty and FiveHands, with components written in C++, as well as the way the malware encrypts files and accepts command-line arguments. 

In addition, akin to FiveHands, the new malware makes use of an executable packer that requires a key value to decrypt its malicious payload into memory, including the use of the command-line switch "-key." 

"This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer," CrowdStrike says. 

However, unlike HelloKitty and FiveHands, this new ransomware strain has adopted a packer written in Go that encrypts its C++ ransomware payload. 

According to Intezer, malware utilizing Go was a rare occurrence before 2019, but now, the programming language is a popular option due to the ease of compiling code quickly for multiple platforms and its difficulty to reverse-engineer. Sample rates have increased by approximately 2,000% in the past few years.

CrowdStrike's sample uses the most recent version of Golang, v.1.16, which was released in February 2021. 

"Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers," CrowdStrike notes. "That's because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult."

In addition to the use of Go, the sample contains typical functions of ransomware -- including the ability to encrypt files and disks, as well as issuing a demand for payment in return for a decryption key. 

The ransom note directs victims to a Tor address for a direct chat session with the malware's operators and also claims to have stolen over 1TB in personal data, which suggests the developers may be attempting 'double extortion': if a victim refuses to pay, they are threatened with the leak of their information.  

Earlier this month, BlackBerry's threat research team published a report on ChaChi, a Trojan written in Go that has been used to attack French government authorities, and more recently, the US education sector. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0