3 min read

GoGoogle Decryption Tool

Bitdefender

May 07, 2020

GoGoogle Decryption Tool

We’re happy to announce the availability of a new decryptor for GoGoogle (aka BossiTossi) ransomware. This family of ransomware is written in Go and generates encrypted files with the .google extension.

Spotted in April 2020, GoGoogle ransomware has several peculiarities.

First of all, it is written in Golang, a programming language that has grown popular among ransomware creators as of late. Secondly, the two versions of GoGoogle use two distinct encryption methods, depending on the size of the files to be encrypted. While one version exclusively uses XOR-based encryption, the other uses XOR for files larger than 1MB and RSA 1024 for smaller files.

This decryptor currently solves infections for .google files encrypted with the XOR method. An updated decryptor to become available in the future will handle the RSA 1024 scenario as well.

How to use this tool

Step 1: Download the decryption tool below and save it on your computer.

Download the GoGoogle decryptor

Step 2: Double-click the file (previously saved as BDGoGoogleDecryptor.exe) and allow it to run.

Step 3: Select “I Agree” in the License Agreement screen

Step 4: Select “Scan Entire System” if you want to search for all encrypted files, or just add the path to your encrypted files.   We strongly recommend you also select “Backup files” before starting the decryption process. Then press “Scan”.

The “test folder” must contain two pairs of original/encrypted files which will be used to determine the decryption type. It is essential that this folder only contains two pairs:

-1 pair of encrypted/original files, both smaller than 1 MB.
-1 pair of encrypted/original files, both larger than 2 MB.  
NOTE: Some versions of GoGoogle are known for irrecoverably altering files under 2MB.

Users may also check the “Overwrite existing clean files” option under “Advanced options” so the tool will overwrite possible present clean files with their decrypted equivalent.

The tool can also run  silently, via a command line. If you need to automate deployment of the tool inside a large network, you might want to use this feature.  
  
•    -help - provides information on how to run the tool silently (this information will be written in the log file, not on console) 
•    start - this argument allows the tool to run silently (no GUI)  
•    -path - this argument specifies the path to scan 
•    -test - this argument specifies the test path where should be a pair of original/encrypted files 
•    o0:1 - enables Scan entire system option (ignoring -path argument) 
•    o1:1 - enables Backup files option 
•    o2:1 - enables Overwrite existing files option 
  
Examples:  
  
BDGoGoogleDecryptor.exe start -path:”C:\” -> the tool starts with no GUI and scan C:\  
BDGoGoogleDecryptor.exe start o0:1 -> the tool starts with no GUI and scan entire system 
BDGoGoogleDecryptor.exe start o0:1 o1:1 o2:1 -> the tool scans the entire system, backup the encrypted files and overwrite present clean files .

Acknowledgement:

This product includes software developed by the OpenSSL Project, for use in the OpenSSL Toolkit (http://www.openssl.org/)

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign How We Tracked a Threat Group Running an Active Cryptojacking Campaign
Bitdefender

July 14, 2021

10 min read