'callmegoat@protonmail.com' Ransomware

The 'callmegoat@protonmail.com' Ransomware is a variant of the Globe Imposter Ransomware, a group of file-locking Trojans that imitate the Globe Ransomware by encrypting files and dropping similar ransom notes. The users should protect their documents and other work by backing them up to secure devices since there isn't a freeware unlocker for recent releases of this family. Anti-malware software can protect your files, as well, by removing the 'callmegoat@protonmail.com' Ransomware or blocking the install exploit.

The Imposter Gets a Little Goatish

The family of file-locking Trojans that's most recognizable for its imitating some of the cosmetics of the Globe Ransomware, the Globe Imposter Ransomware, is back again. Its newest variant, the 'callmegoat@protonmail.com' Ransomware, isn't different in its attack routines from the ANAMI Ransomware, the Healforyou Ransomware, the Eq Ransomware, the Uridzu Ransomware, and other members of the family. However, it may be hitching a ride on a Youtube game-streaming channel for its campaign's brand.

The 'callmegoat@protonmail.com' Ransomware includes the traditional features of the Globe Imposter 2.0 Ransomware branch, which consists of a secure file-locking method with the unlocking code held by a remote threat actor, adding a customizable extension onto the names of the affected pictures, documents, etc., deleting local backup information, and dropping HTML ransom notes. The latter is the component that malware experts are connecting, superficially, to a Fortnite gaming channel using the same 'Call Me Goat' moniker as the Trojan campaign's e-mail. This common ground isn't implying guilt for the channel's author necessarily, who may be a victim of a criminal's arbitrary or deliberately-sabotaging choice of addresses.

The 'callmegoat@protonmail.com' Ransomware uses one of the more modern, red background-based templates for its ransoming instructions, which withhold most of the ransoming details but do offer a free sample. While malware analysts recommend against paying for a possibly non-existent decryptor generally, the sample may be helpful for some limited data recovery. Most of the 'callmegoat@protonmail.com' Ransomware infections will remove any information that could let Windows restore the files by default, although advanced recovery tools like the ShadowExplorer double-check this possibility.

Herding All the Goats Out of Your Files

Decryption solutions for most, modern Ransomware-as-a-Service families are very scarce. Unless legal authorities can seize the threat actors' C&C infrastructure, it's improbable that any victims can recover their files by decrypting them with the key that's compatible with the 'callmegoat@protonmail.com' Ransomware's payload. Since the 'callmegoat@protonmail.com' Ransomware also removes the Windows Shadow Volume Copies, victims will require backups that they've saved to other devices for a definitive way of reacquiring their files.

The 'callmegoat@protonmail.com' Ransomware's executable is pretending that it's 'CMD,' a basic part of Windows that handles text commands. However, whatever method the threat actor uses for its circulation isn't likely of keeping that disguise up during the opening attack. The 'callmegoat@protonmail.com' Ransomware could have itself attached to a document vulnerability (such as a Word macro), attack victims randomly through torrents or be placed after the criminals get backdoor access to your server. Fortunately, virtually all anti-malware programs can protect your files by removing the 'callmegoat@protonmail.com' Ransomware on sight.

Gaming and file-locking Trojans are two themes that seem to go well together, at least, in the opinions of the criminals. Hopefully, whatever success comes to the Youtube streamer it's referencing, the 'callmegoat@protonmail.com' Ransomware doesn't reap equal rewards in ransoms.