GoZone Ransomware Accuses and Threatens Victims
Summary:
The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise. GoZone’s ransom note contains a disturbing psychological tactic, claiming the infected device contains illegal material, specifically child sexual abuse content, in an attempt to coerce victims into payment to avoid being reported to authorities. The ransom notes are pervasive, appearing as .txt files in every directory containing encrypted files, as a .html file automatically opened in the system’s browser, and even as the desktop wallpaper, which users cannot change due to disabled settings.
GoZone’s impact goes beyond encryption; it features advanced capabilities that further hinder recovery and destabilize systems. The ransomware bypasses and disables Windows User Account Control, overwrites the Master Boot Record to prevent proper OS loading, and disables System Restore, making it nearly impossible to revert to a previous state. Without reliable, offline backups, victims face substantial risk of data loss, and the decision to pay remains high-risk since decryption is not guaranteed.
Security Officer Comments:
Interestingly, GoZone has seen limited ransom payments. The Bitcoin address used by attackers has shown minimal transaction activity, suggesting that few victims have opted to pay, possibly due to uncertainty about key delivery. However, cybersecurity firm Elastio has detected GoZone in enterprise cloud environments, indicating that it could increasingly target complex network infrastructures.
Suggested Corrections:
https://www.helpnetsecurity.com/2024/11/06/gozone-ransomware-d3pru/
https://blog.sonicwall.com/en-us/20...e-adopts-coercive-tactics-to-extract-payment/
https://elastio.com/go-zone/
The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise. GoZone’s ransom note contains a disturbing psychological tactic, claiming the infected device contains illegal material, specifically child sexual abuse content, in an attempt to coerce victims into payment to avoid being reported to authorities. The ransom notes are pervasive, appearing as .txt files in every directory containing encrypted files, as a .html file automatically opened in the system’s browser, and even as the desktop wallpaper, which users cannot change due to disabled settings.
GoZone’s impact goes beyond encryption; it features advanced capabilities that further hinder recovery and destabilize systems. The ransomware bypasses and disables Windows User Account Control, overwrites the Master Boot Record to prevent proper OS loading, and disables System Restore, making it nearly impossible to revert to a previous state. Without reliable, offline backups, victims face substantial risk of data loss, and the decision to pay remains high-risk since decryption is not guaranteed.
Security Officer Comments:
Interestingly, GoZone has seen limited ransom payments. The Bitcoin address used by attackers has shown minimal transaction activity, suggesting that few victims have opted to pay, possibly due to uncertainty about key delivery. However, cybersecurity firm Elastio has detected GoZone in enterprise cloud environments, indicating that it could increasingly target complex network infrastructures.
Suggested Corrections:
- Regular Backups and Offline Storage: Maintain frequent backups of critical files and store them offline or in secure cloud storage, inaccessible to local systems. This ensures data recovery without relying on decryption from attackers.
- Endpoint Protection and Monitoring: Deploy comprehensive endpoint detection and response (EDR) solutions to detect unusual behavior associated with ransomware, such as unauthorized file encryption, file extension changes, or attempts to overwrite the Master Boot Record (MBR).
- User Account Control Hardening: Limit administrative privileges to essential personnel only, and ensure UAC is configured to the highest settings. Consider group policies that enforce UAC and prevent bypasses by unauthorized applications.
- Disable Macros and Script Execution: Limit the execution of macros and scripts, particularly in non-administrative accounts, as ransomware often spreads through malicious attachments or scripts.
https://www.helpnetsecurity.com/2024/11/06/gozone-ransomware-d3pru/
https://blog.sonicwall.com/en-us/20...e-adopts-coercive-tactics-to-extract-payment/
https://elastio.com/go-zone/