A new ransomware is in the wild that has been dubbed Gomasom (GOogle MAil ranSOM) by Fabian Wosar of Emsisoft due to its use of gmail email addresses in the encrypted file names. This ransomware is particularly destructive as it will not only encrypt data files but will also encrypt executables, which will cause almost all of your applications to no longer operate. When a user is infected with this particular ransomware their data files will be renamed to a filename like Tulips.email@example.com_.crypt. The user is expected to email the address listed in the filename in order to get ransom payment instructions. Thankfully, Fabian was able create a program that can decrypt these variants as long as you have an unencrypted version of one of your files. A dedicated support topic for this ransomware and to provide assistance decrypting the files can be found here: Crypt Gomasom Ransomware (!firstname.lastname@example.org__.crypt) Support Topic.
It is currently unknown how this ransomware is being spread, but once installed it will create a random named malware executable in the C:\Users\User\AppData\Local\Microsoft Help\ and create an autorun for it so that it starts when you login to Windows. Once started, the ransomware will scan all drive letters for data files and executables and encrypt them. Once a file has been encrypted, it will rename them in the format of originalfilename.extension!__
If you are infected with this malware, simply download decrypt_gomasom.exe from the following link and save it on your desktop:
In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_gomasom.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. If you do not have an an original version of one of your encrypted files, in our tests you can use a encrypted PNG file and any other unencrypted PNG file that you get off of the Internet and drag them together onto the decrypt_gomasom.exe icon. Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other files on your computer.
To show what I mean about dragging both files at the same time, see the example below. To create the key, I created a folder that contains an encrypted PNG file, a totally different valid PNG file, and the decrypt_gomasom.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.
When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.
The program will now brute force the key for the selected files. This could take some time, so please be patient. When a key was able to be brute forced, it will display it an a new window like the one below.
To start decrypting your files with this key, please click on the OK button. You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main DecryptGomasom screen.
To decrypt the C:\ drive click on the Decrypt button. If there are other drives or folder you wish to decrypt that are not listed, you can click on the Add Folder button to add other folders that contain encrypted files. Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process. Once you click Decrypt, DecryptGomasom will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
All of your files should now be decrypted.
For those who wish to know more technical information about this ransomware, you can read the section below. As already stated, we have created a dedicated forum topic to support the Gomasom Ransomware and to provide assistance with using this tool. This support topic can be found here: Crypt Gomasom Ransomware (!email@example.com__.crypt) Support Topic.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "C:\Users\User\AppData\Local\Microsoft Help\<random>.exe" HKCU\Software\<random>