Unfortunately, ransomware has become one of the most prevalent and damaging cyber threats. New variants of popular ransomware pieces emerge all the time, as well as brand new cases. Gomasom ransomware has been just detected in the wild. Gomasom has been first documented by Fabian Wosar from Emsisoft. The name itself comes from Google Mail Ransom, because Gmail email addresses are used in the encrypted file names.
|Short Description||Encrypts data files and executables.|
|Symptoms||Files are encrypted and renamed.|
|Distribution Method||Not known yet.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Gomasom|
|User Experience||Join our forum to follow the discussion about Gomasom.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
In comparison with other ransomware cases, Gomasom is a newcomer on the malware horizon, being active for the past few weeks.
Gomasom gets its name from GOogle MAil ranSOM and typically operates by infecting users and then encrypting their files, dropping Gmail address in the file’s name, and appending a .crypt file extension.
If you were infected by Gomasom and have questions about it, do share them with us.
A topic dedicated to Gomasom has been started in our forum: How to Restore [filename]!__.crypt Files
Gomasom Ransomware Technical Description
Researchers have reported that Gomasom is quite destructive, because it encrypts both user data files as well as executable files. When this ‘double’ encryption is done, most of the victim’s applications will not work. Once the ransomware is inside the computer, it will change the names of the files to [filename].jpg!__[symbols]@gmail.com_.crypt. In order to receive payment instructions, the victim is supposed to send an email to the address in the file name.
Gomasom Ransomware Distirbution
The exact distribution method of this particular ransomware is not yet known. However, most ransomware pieces are spread via:
- Suspicious links redirecting to pages hosting exploit kits;
- Spam email campaigns and malicious attachments;
The Trojan horse that is most likely spreading Gomasom also hasn’t been identified.
Gomasom Ransomware Encryption and Decryption
As already mentioned, the ransomware encrypts both data and executable files, making the victim’s programs unfunctional. Once it is installed on the system, Gomasom will create a malware executable with a random name, place it in C:\Users\User\AppData\Local\Microsoft Help\ and create an autorun so that it starts every time the Windows starts.
When the system is started, Gomasom will scan all drive letters for data and executable files to encrypt. Upon encryption, files will be renamed to [filename]!__.crypt.
Interestingly enough, Gomasom doesn’t leave a ransomware note.
The good news is that there is a solution to Gomasom encryption and it has been developed by Emsisoft. All you need to do is download the decrypt_gomasom.exe from http://emsi.at/DecryptGomasom.
How to use decrypt_gomasom.exe?
To discover the needed decryption key, the user should drag an encrypted file and unencrypted version of the same file and drop them on the decrypt_gomasom.exe icon. More instructions on how to use the decryptor for Gomasoft are available on Bleeping Computer.
In order to remove all leftovers of Gomasom ransomware, refer to our removal instructions below.