Remove Google Go Ransomware and Restore .enc Files - How to, Technology and PC Security Forum |

Remove Google Go Ransomware and Restore .enc Files


Google Go is the name of a ransomware cryptovirus. The virus is dubbed that way because it is built on Google’s program language “Go” and it is the first ever ransomware to do so. The Go language is free, open source and is compatible with Windows, Linux, Mac OS X and versions of Unix. The scale of the infections is still unknown, but the potential compatibility of the virus with different operating systems makes it versatile. Hopefully, cybercriminals may not have targeted each of the aforementioned operating systems. After encryption, a ransom note appears. Locked files will have the .enc extension. To see how to remove this virus and how you can try restoring your data, read the article carefully.

Threat Summary

NameGoogle Go Ransomware
TypeRansomware, Cryptovirus
Short DescriptionA cryptovirus written in Google’s Go open-source programming language. After encryption it demands a ransom payment, just like a typical ransomware.
SymptomsThe ransomware will encrypt all files with the .enc extension as their appendix and display a ransom message afterward.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Google Go Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Google Go Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Google Go Ransomware – Infection

Google Go ransomware might infect your computer device using different methods for distribution. The payload file could be contained inside spam emails. An email loaded from a spam campaign will be designed to look very important and have a file attachment. The attached file will look legitimate and you will be prompted to open it. By doing so, you will release the malicious code inside which will place the payload file and infect your computer system with the virus.

Other methods for getting infected with the Google Go ransomware might exist. For example – using file sharing platforms and social media networks for uploading. The ransomware creators could have placed the malicious payload executable on such services in an attempt to get even more computer systems infected. When surfing the World Wide Web, try to be more careful. Refrain from opening files from suspicious links or e-mails. Scan every file that you want to open with security software and check its size and signature beforehand. You should look at more ransomware prevention tips in the corresponding forum topic.

Google Go Ransomware – Technical Description

Malware researchers from Dr. Web have recently discovered the Google Go ransomware. The ransomware uses Google’s program language Go hence it’s named accordingly. This is the first ever ransomware to use that language. The Go language is free and open source which makes it accessible. The worst part is that the language is compatible with Windows, Linux, Mac OS X, some versions of Unix and even with mobile devices and that might be utilized by the virus.

The Google Go ransomware places its payload file named “Windows_Security.exe” in the C:\Users\[UserName]\AppData\Roaming\Windows_Update folder. Afterward, it creates the following registry entry for persistence:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Windows-Defender /t REG_SZ /F /D %APPDATA%\Windows_Update\Windows_Security.exe

Such entries are usually used to set the virus to launch automatically with every boot of the Windows operating system or the payload file to be excluded from detections of security software implemented in the Windows core system.

When your data gets encrypted, a file called Instructions.html will be loaded in your default browser. The file loads the instructions for paying the ransom, as one can figure out from the file’s name. You can view the contents of this file from the below picture:


The ransom note reads the following:

All your files have been encrypted using AES 256, there is no way to decrypt them by yourself.
If you want to decrypt them your have to pay approximately 25$ in Bitcoins to the following address: –
Amount 0.052300 BTC’s
To the address: –
Do not worry if you don’t know what bitcoins are, they are an online currency that is not regulated by ant government, the price changes daily but now is near the 600$ usd dollars. To get some bitcoins you can go to some of this web pages:
In this page you can store your bitcoins and also buy them using your credit card. It is a safe page, you can check it online if you aren’t sure.
This a web where people contact each others to exchange Bitcoins for money in paypal. In cash if you find someone nearby and many other ways.
I strongly recommend as you can be done in 15 minutes and your files will start decrypting. I recommend you look for info online if you don’t want to use
If you can’t figure our something send me an email to [email protected] You have 72 hours from now on the send the payment or you will lose all the data to son’t wait to send an email if you don’t know something.
I hope to hear from you soon.

The Google Go ransomware uses the email address [email protected] that is provided as a means of contact with the cybercriminals. ProtonMail is an encrypted e-mail service which is utilized by many new ransomware developers. The reason probably is the promised encryption by the service, which makes it harder to track down the crooks.

The Google Go ransomware developers have written in the ransom note that you have only 72 hours to decrypt your data, otherwise it will get deleted. The amount which is demanded for payment is 0.052300 Bitcoins which right now equals to exactly 33.33 US dollars. You should not pay, nor contact the cybercriminals, as no one can guarantee that you will recover your files after payment. The criminals will most probably use the money for criminal activities, such as the development of a sturdier ransomware virus.

The ransomware uses a 256-bit AES encryption algorithm. All encrypted files will have the .enc extension appended to them and their original file name scrambled with random symbols.

However, the following directories will be excluded from the encryption process:

  • tmp
  • winnt
  • Application Data
  • AppData
  • Program Files (x86)
  • Program Files
  • temp
  • thumbs.db
  • Recycle.Bin
  • System Volume Information
  • Boot
  • Windows
  • .enc
  • Instructions
  • Windows_Security.exe

The ransomware is known to encrypt over 140 different file types, and you can preview them right here:

→.aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .cmd, .com, .cpp, .crt, .csr, .css, .dbf, .dch, .dif, .dip, .djv, .enc, .exe, .fla, .flv, .frm, .gif, .gpg, .htm, .hwp, .ibd, .jar, .jpg, .key, .lay, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mpg, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pas, .pdf, .pem, .php, .png, .pot, .pps, .psd, .rar, .raw, .sch, .slk, .snd, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .arc, .csv, .doc, .dot, .myd, .myi, .nef, .paq, .ppt, .rtf, .xls, .tar, .tbk, .tgz, .tif, .txt, .uop, .uot, .vbs, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xlt, .xlw, .xml, .zip0, .000, .djvu, .docb, .docm, .docx, .dotm, .dotx, .html, .java, .jpeg, .lay6, .mpeg, .ms11, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .sldm, .sldx, .tiff, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .class, .qcow2, .sqlite3, .tar, .bz2

The Google Go ransomware erases the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe Delete Shadows /All /Quiet

Read further and see in which ways you can try to restore some of your files back to normal.

Remove Google Go Ransomware and Restore .enc Files

If your computer got infected with the Google Go ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Google Go Ransomware.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share