Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware Variant? GORO


  • This topic is locked This topic is locked
15 replies to this topic

#1 Black_RiOt

Black_RiOt

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 10:09 AM

Hi all, I got a computer with ransom notes all over in html format and .GORO files. The email asssociated with it is : Mk.goro@aol.com.

 

I've tryed RakhniDecryptor and the Avast's Crysis Decryptor without success.

 

I've suspended the process goro.exe that is still running and the executable file is still on the desktop of th PC.

 

Can someone help me with that? Just tell me what you need and I will try to provide it.

 

Best regards,

 

Black_RiOt



BC AdBot (Login to Remove)

 


m

#2 techghost

techghost

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 17 July 2017 - 10:29 AM

When were you infected? I can't find much about it on the internet.  



#3 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 10:48 AM

It seem's to be this morning at 7h14 EDT looking at the goro.exe file creation time. And I did not find anything about that myself except for the email address that seems to relate to older Wallet Ransomware.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 17 July 2017 - 11:15 AM

Can you share the ransom note? Indeed that email address has been used for several ransomware, but I have seen ".GORO" recently come through as an unidentified extension on IDR recently.

 

If you could zip up the goro.exe, a few encrypted files (and their originals if you can), and the ransom note, please submit that all here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 techghost

techghost

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 17 July 2017 - 11:16 AM

There's nothing on BC as well. I hope you get help from some expert here. 



#6 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 11:48 AM

Thank Demonslay335, I've just submitted the file but made a little mistake. Did not tough to include contact info but only the link to this topic... The file is GORO.7z.


Edited by Black_RiOt, 17 July 2017 - 11:54 AM.


#7 ragerat1

ragerat1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 17 July 2017 - 11:57 AM

Got the same thing this morning.  The day started off with none of our users being able to access a share on the server.  We just re-took ownership and applied the permissions to it again.  Then a user notified us they can access anything on their machine and we noticed the *.GORO everywhere.  We then scanned the server for .GORO and found one file but thats it.  No ransomeware note yet though.  Just an icon on the desktop called ProcessHacker.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 17 July 2017 - 11:57 AM

It triggered our GlobeImposter rule when you submitted it, and I confirmed the note also is a GlobeImposter note. Afraid it is no longer decryptable, and they come through RDP. Restore from backups, and lock down your RDP via VPN and strong passwords.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 11:59 AM

I got the Process Hacker too on the desktop but still running. It seem to be some king of Process Explorer...



#10 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 12:02 PM

So Demonslay335. What did you mean by "it is no longer decryptable"?

To remove the infection I just kill the goro.exe file and restore files from backup? Or there's additional steps to takes?



#11 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 12:09 PM

And also for now the PC have not been restarted and I suspended GORO.exe execution. So is there any information that could be retreived from this PC to help decrypt file for my computer or someone else?



#12 ragerat1

ragerat1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 17 July 2017 - 12:23 PM

BitDefender picked up goro.exe as Gen:Variant.Ransom.GlobeImposter.1

 

Successfully quarantined on server.  Have to investigate why the desktop didnt



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 17 July 2017 - 12:23 PM

If you still have it suspended, you could try doing a dump, wouldn't hurt. I'm not sure about whether it would be of any use to be honest, I didn't analyze that family myself.

 

Right-click the process in Task Manager, and do "Create Dump File". Zip up the .DMP file Windows creates, and share it using a third-party site (it will be decently large).

 

Process Hacker is a legit program, kinda like you said, a beefed up Process Explorer.

 

When I say "it is no longer decryptable", I mean it is not decryptable for free. The very first variants of GlobeImposter from over a year ago were decryptable, but they fixed the flaws since.

 

Once you have the dump, you can just kill the malware and restore anything from backups. Your server is compromised though, so you will need to scan it properly, and secure your RDP via strong passwords and VPN; RDP should NEVER be exposed to the whole internet.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 12:35 PM

Any suggestion on a third party site to post the Dump?



#15 Black_RiOt

Black_RiOt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 17 July 2017 - 12:52 PM

Ok sorry for the last post. Finally I've used Google Drive... So here is the link were the 7z file containing the three file dump of the three goro.exe process.

https://drive.google.com/drive/folders/0ByGYGVrtCny5cy1XaldlVkZTd0k?usp=sharing

 

Hope this can help...

 

Black_RiOt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users