Home Malware Programs Ransomware Godes Ransomware

Godes Ransomware

Posted: July 12, 2019

The Godes Ransomware Trojan is a file-locking Trojan from the STOP Ransomware's family. This group of Trojans consists of a Ransomware-as-a-Service business that hires itself out to other criminals for creating the variants, each with their customized names and infection methods. Users should back up their media for protecting it against infections preemptively and run a trusted anti-malware program for when removing Trojan is required.

The STOP Ransomware's Business Stays Seemingly Unstoppable

The Ransomware-as-a-Service Trojan that is sabotaging files in Southeast Asia regularly, the STOP Ransomware, is appearing with a new variant of itself in deployment in an unknown area of the world. Trojan is similar to most of the file-locking Trojans from its family (see: the Boston Ransomware, the Dotmap Ransomware, the Kiratos Ransomware, or the Myskle Ransomware, among others) and uses a standard encryption routine for locking media. With that data-locking achievement, it puts its victim into the rock-and-hard-place situation of losing their files or paying a ransom.

Trojan conducts this file-locking attack with an AES and RSA encryption routine, much like many, other competitors in the Ransomware-as-a-Service industry. Along with targeting documents, images, and other media, it adds extensions to their names ('godes,' in this case), and removes any Shadow Volume Copy-related backup data that it finds. There also is some risk of Trojan's dropping and installing other threats, such as information-collecting spyware.

Although Trojan boasts the latest version number of its family, malware researchers see few behavioral changes in the Trojan. Updates may be concentrating on avoiding detection or analysis, which is highly relevant for users running virtual environments. Updating any local anti-malware solutions, also, may be crucial for identifying Trojan.

Taking the Guesswork Out of the File-Ransoming Business

Although Trojan's name includes etymology that could reference several European countries, most versions of the STOP Ransomware run campaigns versus Thailand, India, the Philippines, and other, Southeastern Asian nations. Their infection methods, also, include several, well-known, psychologically exploitative strategies:

  • Servers are vulnerable to attacks that search for outdated software with code-executing vulnerabilities, unsecured Remote Desktop features or brute-force-weak logins.
  • On an individual basis, PCs may experience infections through a range of download-related tactics, including torrents for illegally-distributed media or piracy utilities, along with updates for brands like Adobe or Microsoft products.
  • More specifically-targeted attacks can abuse e-mail messages with content suitable for convincing victims into opening malicious attachments or links.

The file-locking methodology in modern versions of the STOP Ransomware is secure against all free decryption efforts, so far. Users can counteract this issue by keeping well-updated backups and having anti-malware programs for deleting Trojan as soon as they spot it.

Another offspring in Trojan's Ransomware-as-a-Service industry is far from shocking, but its dedicated development is impressive, by any standards. With the version releases climbing as high as 1.13, it's evident that criminals are, one way or another, turning this Trojan into money.