GOTCHA Ransomware

Posted: April 18, 2019

The GOTCHA Ransomware is a file-locking Trojan that encrypts media on your computer for keeping it from opening. It then asks for a 'small fee' for returning your files to their readable states. Users should remember the imperative of backing up their work for having defenses against all threats of this category and can have suitable anti-malware software to remove the GOTCHA Ransomware for stopping the encryption attacks.

This Trojan's Gotcha by the Files

Nearly all of the file-locking Trojans that malware researchers collect and analyze fall into relatively clear patterns, most of which are thanks to the pre-existing code of Ransomware-as-a-Service businesses, public source code like Hidden Tear, or Trojan-building toolkits. The GOTCHA Ransomware is one of the few ones that doesn't fall obviously into a well-known sub-category of these threats. While malware researchers can find little information about how it's circulating, its data-blocking feature does all the work that its author intends.

The GOTCHA Ransomware belongs to the majority of file-locker Trojans that run in Windows, although, occasionally, some run in Linux or Mac-based OSes. It searches for PDF documents, pictures, archives, and other files that may be valuable to the victim without being necessary for the operating system and 'locks' them with an encryption routine. Secondarily, it prepends 'GOTCHA!!' markers inside of the files' data for denoting their captivity, appends '.gotcha' extensions in their names for the victim's benefit, and leaves behind a '!GOTCHA!' ransom note.

The ransoming message, a Notepad text, doesn't fit the templates that malware researchers know from past campaigns and could be the original work of the Trojan's threat actor. The English text claims that the locking process uses AES and RSA, which may or may not be the truth, and asks that the victims e-mail the provided address and ready themselves for paying a 'small fee' for the decryptor. The writer identifies himself as 'Team GOTCHA,' which isn't a known entity in other file-locking Trojans' attacks.

Don't Let Your Media Get 'Got'

It's not unlikely that the GOTCHA Ransomware is basing itself off of code from an older Trojan like the Hidden Tear and EDA2 projects. However, encryption, even on a non-consensual basis, isn't a high-complexity programming task, and many threat actors with a minimum of experience could accomplish it. Malware researchers aren't comfortable estimating whether or not any locked files are recoverable without paying, but they don't recommend depending on the ransom as a solution since criminals aren't always honest brokers.

Users can back up their work as the number-one way of keeping files out of the ransoming scenarios that the GOTCHA Ransomware instigates. Suitable backups will include additional security protocols or even total separation from a network-accessible system, such as a detached USB. If you have no other options and decryption isn't possible, advanced data repair tools may double-check for the presence of the Shadow Volume Copy information that could help with restoring files, although most file-locking Trojans delete this content. Prioritize removing the GOTCHA Ransomware first with anti-malware tools that will bring a halt to the data encryption, which could continue if the Trojan's presence is left unabated.

The GOTCHA Ransomware is semi-interesting for not conforming to any of the recognizable identity traits of the trends in the file-locking Trojan industry. Its personality doesn't make up for its attacks, however, which are, as ever, an inconvenience and a danger to the users without a backup or two.