Remove Google Go Ransomware and Restore .enc Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Google Go Ransomware and Restore .enc Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Google Go Ransomware and other threats.
Threats such as Google Go Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

stf-google-go-ransomware-virus-open-source-programming-language-trojan-encoder-6491-small

Google Go is the name of a ransomware cryptovirus. The virus is dubbed that way because it is built on Google’s program language “Go” and it is the first ever ransomware to do so. The Go language is free, open source and is compatible with Windows, Linux, Mac OS X and versions of Unix. The scale of the infections is still unknown, but the potential compatibility of the virus with different operating systems makes it versatile. Hopefully, cybercriminals may not have targeted each of the aforementioned operating systems. After encryption, a ransom note appears. Locked files will have the .enc extension. To see how to remove this virus and how you can try restoring your data, read the article carefully.

Threat Summary

NameGoogle Go Ransomware
TypeRansomware, Cryptovirus
Short DescriptionA cryptovirus written in Google’s Go open-source programming language. After encryption it demands a ransom payment, just like a typical ransomware.
SymptomsThe ransomware will encrypt all files with the .enc extension as their appendix and display a ransom message afterward.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Google Go Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Google Go Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Google Go Ransomware – Infection

Google Go ransomware might infect your computer device using different methods for distribution. The payload file could be contained inside spam emails. An email loaded from a spam campaign will be designed to look very important and have a file attachment. The attached file will look legitimate and you will be prompted to open it. By doing so, you will release the malicious code inside which will place the payload file and infect your computer system with the virus.

Other methods for getting infected with the Google Go ransomware might exist. For example – using file sharing platforms and social media networks for uploading. The ransomware creators could have placed the malicious payload executable on such services in an attempt to get even more computer systems infected. When surfing the World Wide Web, try to be more careful. Refrain from opening files from suspicious links or e-mails. Scan every file that you want to open with security software and check its size and signature beforehand. You should look at more ransomware prevention tips in the corresponding forum topic.

Google Go Ransomware – Technical Description

Malware researchers from Dr. Web have recently discovered the Google Go ransomware. The ransomware uses Google’s program language Go hence it’s named accordingly. This is the first ever ransomware to use that language. The Go language is free and open source which makes it accessible. The worst part is that the language is compatible with Windows, Linux, Mac OS X, some versions of Unix and even with mobile devices and that might be utilized by the virus.

The Google Go ransomware places its payload file named “Windows_Security.exe” in the C:\Users\[UserName]\AppData\Roaming\Windows_Update folder. Afterward, it creates the following registry entry for persistence:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Windows-Defender /t REG_SZ /F /D %APPDATA%\Windows_Update\Windows_Security.exe

Such entries are usually used to set the virus to launch automatically with every boot of the Windows operating system or the payload file to be excluded from detections of security software implemented in the Windows core system.

When your data gets encrypted, a file called Instructions.html will be loaded in your default browser. The file loads the instructions for paying the ransom, as one can figure out from the file’s name. You can view the contents of this file from the below picture:

stf-google-go-ransomware-virus-open-source-programming-language-trojan-encoder-6491-ransom-note

The ransom note reads the following:

ALL YOUR FILES HAS BEEN ENCRYPTED
All your files have been encrypted using AES 256, there is no way to decrypt them by yourself.
If you want to decrypt them your have to pay approximately 25$ in Bitcoins to the following address: –
Amount 0.052300 BTC’s
To the address: –
Do not worry if you don’t know what bitcoins are, they are an online currency that is not regulated by ant government, the price changes daily but now is near the 600$ usd dollars. To get some bitcoins you can go to some of this web pages:
-Coinbase
In this page you can store your bitcoins and also buy them using your credit card. It is a safe page, you can check it online if you aren’t sure.
-Localbitcoins.com
This a web where people contact each others to exchange Bitcoins for money in paypal. In cash if you find someone nearby and many other ways.
I strongly recommend coinbase.com as you can be done in 15 minutes and your files will start decrypting. I recommend you look for info online if you don’t want to use coinbase.com
IT IS EXTREMELY IMPORTANT THAT YOU SEND THE EXACT AMOUNT AND THAT THIS PROGRAM IS RUNNING WHILE YOU MAKE THE PAYMENT TO BE ABLE TO CONFIRM THE TRANSACTION.
If you can’t figure our something send me an email to [email protected] You have 72 hours from now on the send the payment or you will lose all the data to son’t wait to send an email if you don’t know something.
I hope to hear from you soon.

The Google Go ransomware uses the email address [email protected] that is provided as a means of contact with the cybercriminals. ProtonMail is an encrypted e-mail service which is utilized by many new ransomware developers. The reason probably is the promised encryption by the service, which makes it harder to track down the crooks.

The Google Go ransomware developers have written in the ransom note that you have only 72 hours to decrypt your data, otherwise it will get deleted. The amount which is demanded for payment is 0.052300 Bitcoins which right now equals to exactly 33.33 US dollars. You should not pay, nor contact the cybercriminals, as no one can guarantee that you will recover your files after payment. The criminals will most probably use the money for criminal activities, such as the development of a sturdier ransomware virus.

The ransomware uses a 256-bit AES encryption algorithm. All encrypted files will have the .enc extension appended to them and their original file name scrambled with random symbols.

However, the following directories will be excluded from the encryption process:

  • tmp
  • winnt
  • Application Data
  • AppData
  • Program Files (x86)
  • Program Files
  • temp
  • thumbs.db
  • Recycle.Bin
  • System Volume Information
  • Boot
  • Windows
  • .enc
  • Instructions
  • Windows_Security.exe

The ransomware is known to encrypt over 140 different file types, and you can preview them right here:

→.aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .cmd, .com, .cpp, .crt, .csr, .css, .dbf, .dch, .dif, .dip, .djv, .enc, .exe, .fla, .flv, .frm, .gif, .gpg, .htm, .hwp, .ibd, .jar, .jpg, .key, .lay, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mpg, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pas, .pdf, .pem, .php, .png, .pot, .pps, .psd, .rar, .raw, .sch, .slk, .snd, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .arc, .csv, .doc, .dot, .myd, .myi, .nef, .paq, .ppt, .rtf, .xls, .tar, .tbk, .tgz, .tif, .txt, .uop, .uot, .vbs, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xlt, .xlw, .xml, .zip0, .000, .djvu, .docb, .docm, .docx, .dotm, .dotx, .html, .java, .jpeg, .lay6, .mpeg, .ms11, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .sldm, .sldx, .tiff, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .class, .qcow2, .sqlite3, .tar, .bz2

The Google Go ransomware erases the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe Delete Shadows /All /Quiet

Read further and see in which ways you can try to restore some of your files back to normal.

Remove Google Go Ransomware and Restore .enc Files

If your computer got infected with the Google Go ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Google Go Ransomware.

Note! Your computer system may be affected by Google Go Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Google Go Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Google Go Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Google Go Ransomware files and objects
2. Find files created by Google Go Ransomware on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Google Go Ransomware

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...