New ransomware shows popularity of Golang programming language

Get a free Techzine subscription!

A new ransomware strain has emerged that uses Golang in what is yet another sign of the programming language’s growing popularity among cybercriminals. CrowdStrike managed to get a sample of the new ransomware variant, which has not yet been named.

It borrows features from HelloKitty/DeathRansom and FiveHands. The ransomware strains are thought to have been active since 2019 and have been linked to attacks levelled against CD Projekt Red (CDPR), the maker of Cyberpunk 2077, as well as other enterprises. The samples discovered similar functions to FiveHands and HelloKitty, with components written in C++.

What CrowdStrike found

The samples revealed the way the malware encrypts files and accepts command-line arguments. On top of that, just like FiveHands, the new malware uses an executable packer that requires a key-value to decrypt the malicious payload into memory, including the use of the “-key” command-line switch.

This method of using a memory-only dropper prevents security solutions from detecting the final payload without the key that executes the packer. The new ransomware has adopted a packer written in Go that encrypts its C++ ransomware payload, something that HelloKityy and FiveHands do not do.

Before 2019, malware using Go was rare but now, the programming language has risen in popularity because of the ease of compiling code quickly for multiple platforms and how hard it can be to reverse-engineer. Sample rates have decreased by about 2,000% in the past few years, showing the effectiveness of the language. CrowdStrike uses the most recent version of Golang, v.1.16, which came out in February 2021.

Earlier this June, BlackBerry’s threat research team published a report about a Trojan written in Go, named ChaChi, which has been used to attack French government authorities and the US education sector.