Golang Ransomware

New ransomware highlights widespread adoption of Golang language by cyberattackers

Ransomware that uses Golang is a new strain. This highlights the increasing popularity of Golang by threat actors.


CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands.

These ransomware viruses are believed to be active since 2019. They have been linked to attacks on Cyberpunk 2077, CD Projekt Red(CDPR), and enterprise organizations.

The malware has similar functions as HelloKitty or FiveHands. It uses C++ to write its components and also accepts command-line arguments.

The new malware, which is similar to FiveHands’, uses an executable packer to decrypt the malicious payload. This includes the command-line switch “key”.

CrowdStrike states that this method of dropping a memory-only payload prevents security systems from detecting the final payload if the key used to execute it is not available.

This ransomware strain, however, has adopted a Go packer that encrypts the C++ ransomware payload, in contrast to HelloKitty or FiveHands.

You can try 40+ services free of charge with an IBM Cloud Lite account. This includes Watson APIs and DevOps tools. No credit card is required. No time limits.

According to Intezer, malware utilizing Go was a rare occurrence before 2019, but now, the programming language is a popular option due to the ease of compiling code quickly for multiple platforms and its difficulty to reverse-engineer. In the last few years, sample rates have increased by around 2,000%.

CrowdStrike’s sample uses the most recent version of Golang, v.1.16, which was released in February 2021.

CrowdStrike points out that even though Golang-written malware or packers aren’t new, it is difficult to compile it with the most recent Golang. “This is because all the necessary libraries are statically linked, and included in the compiler binary. Function name recovery can be difficult.”

The sample includes Go as well as typical ransomware functions, including the ability to encrypt files or disks and issue a demand for payment for a decryption code.

The ransom note directs victims towards a Tor address to chat with the malware’s developers. It also claims that they have stolen more than 1TB of personal data. This suggests that the developers are trying to ‘double-extort’: if the victim refuses to pay, the threat is to leak their information.

Earlier this month, BlackBerry’s threat research team published a report on ChaChi, a Trojan written in Go that has been used to attack French government authorities, and more recently, the US education sector.