New ransomware strain highlights Golang-based malware trend among cyberattackers

A new ransomware strain that leverages Golang highlights the increased adoption of the language by cybercriminals.

CrowdStrike derived a sample of a new ransomware variant that was not named yet. It’s features are similar toHelloKitty/DeathRansom as well as FiveHands.

These strains have been active since 2019 and connected to attacks such as the maker of Cyberpunk 2077, CD Projekt Red (CDPR), along with enterprise organisations.

The sample identified reveals functions that have resemblance to HelloKitty and FiveHands, with elements written in C++, as well as the manner in which the malware encrypts files and acknowledges command-line arguments.

Moreover, akin to FiveHands, the latest malware leverages an executable packer that needs a key value to decrypt the malicious payload inside memory, which includes the use of the command-line switch “key.”

“This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer,” CrowdStrike states.

Unlike HelloKitty and FiveHands, this new strain leverages a packer that’s written in Go programming language that encrypts its C++ ransomware payload.

As per Intezer, malware based on Go was not common prior to 2019, but now, it is a popular option as it is to compile codes quickly across multiple platforms and it’s not easy to reverse-engineer.

CrowdStrike’s sample utilises the most recent version of Golang, v.1.16, released in February this year.

“Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers,” CrowdStrike added. “That’s because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult.”

Apart from Go, the sample contains other common functions of ransomware which includes the ability to encrypt files and disks, along with issuing a demand for payment in return for a decryption key.

The ransom note takes victims to a direct chat session with the malware’s operators and there have been claims that they have stolen more than 1TB of sensitive personal data. This suggests that the developers may be looking out for attempting ‘double extortion’ in case a victim refuses to make the payment, they send data leak threats.