Godra Ransomware demands 200,000 Euros for decryption
The Sonicwall Capture Labs Threats Research team have come across Bosnian ransomware pretending to be from the Croatian Financial Agency (FINA). It is reported to arrive in the form of an email and demands an astronomical 200,000 Euros in bitcoin for decryption.
The Trojan uses the following icon:
The Trojan drops the following files onto the system:
- KAKO OTKLJUČATI VA�E DATOTEKE.log (in every folder containing encrypted files)
Prijedlog_za_ovrhu_urbr_220-2017.pdf is a text file and contains the following text:
This text is a timestamp. The file is used as a mutex to prevent double infection.
KAKO OTKLJUČATI VA�E DATOTEKE.log contains the following text:
The text is in Bosnian. We translated it to english using google translate:
YOUR PERSONAL FILES ARE CREATED !!!WARNING!DO NOT TEST DECEPTATE YOUR FILES ONLY. EVERY MODIFICATION OF DECEPTED FILES MAKE SUCCESSFUL MUCH! ONE WAY TO DETERMINE YOUR FILES IS IMPORTANT TO COMPLETE INSTRUCTIONS !!!What happened to my computer?All your essential files are encrypted.All your documents, photos, video materials, databases and other files are no longer available because they are encrypted. Do not poke and waste time decrypting or restoring your files because no one can decrypt your files without our decryption service.Can I restore my files?Of course. WE GUARANTEE the return of your files after payment:2.000,00 EUR (two hundred thousand) in BTC (BitCoin) equivalentYou have 48 hours to send a payment, otherwise the price is doubled. Also, if you do not make a payment after another 72 hours, your files will be lost irretrievably. After the payment has been made, please send us the "User ID" and the wallet number from which the payment was made to email@example.comUser ID: 1519657128After that, we will send you decryption software that will restore your files. Please note that * NOT IN WHAT MODE * you do not modify your encrypted files because the return will NOT be possible.You can send us a file at firstname.lastname@example.org (up to 100kB) in order to prove to you that decryption is possible.HOW TO PAY?We only accept payments in BTC (BitCoin) currency. The payment must be made to the following address:13srq1SP93mEs7asR2UxWBUts3x9oUcuacDo not use "deep web" wallets such as Tor Wallet, Onion Wallet, Shadow Wallet, Hidden Wallet and the like.Buy BTC (BitCoin) only from the official BitCoin Exchange!Official exchange rate and prices: https://howtobuybitcoins.info/Shopping recommendations: https://bit4coin.net/ or https://www.coinbase.com/ or https://xcoins.io/Bit4Net does not need registration! You can buy BitCoin via PayPal at Xcoins.io!E-mail address for communication: email@example.comSend us an e-mail with your "User ID" and the wallet from which the payment was made!WARNING!DO NOT TEST DECEPTATE YOUR FILES ONLY. EVERY MODIFICATION OF DECEPTED FILES MAKE SUCCESSFUL MUCH! ONE WAY TO DETERMINE YOUR FILES IS IMPORTANT TO COMPLETE INSTRUCTIONS !!!We reached out to firstname.lastname@example.org via email but received no response.
The Trojan attempts to contact fina.online but at the time of writing the page appears to have been cleaned up:
Upon debugging the executable, the Trojan is seen iterating through files on the system, encrypting those files and appending "godra" to their names after encryption:
The Trojan uses its own proprietary encryption routine. We were able to locate the encryption algorithm and key. This can potentially be used to restore files:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Godra.RSM (Trojan)