{
	"id": "b45dea09-318e-4752-ae79-aec3a5dd42bd",
	"created_at": "2026-04-06T00:06:51.361Z",
	"updated_at": "2026-04-10T03:22:10.686446Z",
	"deleted_at": null,
	"sha1_hash": "d272a3bd0d1ad4f30533ed6e897145af64e85ff5",
	"title": "New Ransomware Variant Uses Golang Packer | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 969257,
	"plain_text": "New Ransomware Variant Uses Golang Packer | CrowdStrike\r\nBy Alexandru Ghita\r\nArchived: 2026-04-05 13:53:20 UTC\r\nCrowdStrike recently observed a ransomware sample borrowing implementations from previous HelloKitty and\r\nFiveHands variants and using a Golang packer compiled with the most recent version of Golang (Go1.16, released\r\nmid-February 2021). These ransomware families have been active since late 2019 and analyzed by the research\r\ncommunity under different names based on various code overlaps. The similarities of this recent sample with\r\nprevious HelloKitty and FiveHands variants involve similar ransomware functions written in C++, accepting CLI\r\narguments, the use of four magic bytes appended to the encrypted files, and using an embedded public key.\r\nRansomware Sample Analysis\r\nSimilar to FiveHands ransomware, this variant uses a unique executable packer that requires a key value to\r\ndecrypt the payload in memory using a command-line switch “-key” . This key is used to decrypt the embedded\r\npayload ransomware binary directly into memory. This method of using a memory-only dropper prevents security\r\nsolutions from detecting the final payload without the unique key used to execute the packer. What’s new about\r\nthis ransomware variant is the use of a Golang packer to encrypt the C++ written payload. Although Golang-written malware and packers are not new, compiling it with the latest Golang (Go1.16) makes it challenging to\r\ndebug for malware researchers. That's because all necessary libraries are statically linked and included in the\r\ncompiler binary and the function name recovery is difficult.\r\nFigure 1. Golang Encryptor help menu (Click to enlarge)\r\nThe sample accepts different CLI arguments, suggesting it can limit the encryption to a specified path. After\r\nexecuting with the right key parameter ( Command execution bin.exe -key \"\" ), it starts decrypting the payload\r\nthat is reflectively loaded into memory. The payload is the actual ransomware written in C++.\r\nhttps://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nPage 1 of 4\n\nFigure 2. Executable packer and key on the command-line (Click to enlarge)\r\nThe ransomware has the capability to also clear RecycleBin and to delete each Shadow Copy by ID\r\n(“Win32_ShadowCopy.ID”) using WMI functions (Figure 3) similar to the other ransomware variants like\r\nFiveHands and HelloKitty. We have also identified an implementation of “IoCompletionPorts” for a better\r\nthreading model in the encryption process, similar to FiveHands.\r\nFigure 3. WMI functions for deleting shadow copies (Click to enlarge)\r\nA RSA public key is hard-coded in the code block. This is used to encrypt each symmetric key per file and append\r\nit at the end of the encrypted file along with the four bytes D0 BA AD DE . The last four bytes are used to check if\r\nthe targeted file was previously encrypted. In the symmetric key generation process, we also found code\r\nimplementation for the use of the Salsa20 algorithm. At the end, the final files are renamed using the . locked\r\nextension. A ransom note is placed into each folder and directory, including the root path, after the files are\r\nhttps://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nPage 2 of 4\n\nencrypted. The ransom note file is named read_me_lock.txt and provides instructions to the victim on how to\r\nrecover their encrypted files.\r\nFigure 4. Ransom note (Click to enlarge)\r\nThe message does not offer any bitcoin wallet in which payment should be made. Instead, it offers a TOR link\r\nwhere victims can contact the ransom operators. The message also claims to have extracted over 1 TB of personal\r\nand sensitive data from the victim, potentially threatening extortion. Visiting the TOR address, victims will be\r\ndirected to a temporary chat session where they are encouraged to engage with the ransomware operators to\r\nnegotiate decryption fees.\r\nFigure 5. TOR chat box for communicating with operators (Click to enlarge)\r\nCrowdStrike Falcon® Protection\r\nThe CrowdStrike Falcon® sensor has the ability to detect the execution of the Golang packer using machine\r\nlearning (ML), identifying it during the very early stage of execution before it can deliver the ransomware\r\npayload. Falcon’s ML algorithm can protect customers by providing coverage against this analyzed threat, as\r\nillustrated below.\r\nhttps://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nPage 3 of 4\n\nFigure 6. Packer process blocked by ML algorithm (Click to enlarge)\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nRansomware\r\nPayload\r\nb24dcfdda948b339637fe507cf032ec233288691b700e1585cb34b4190704858\r\nGolang\r\nPacker\r\neeb51dce12f243b332b51d7b1b11ecff155dd823ff8f9b79d6ad486cc49098ba\r\nHardcoded\r\nAsymmetric\r\npublic key\r\nextracted\r\nfrom strings\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAye/wtpovm5pDdZvFRrpj\r\nuob4f2bMN9/Ws3TR4MwR0Pngsvpf2b1iO0wjCZNx9wrut+7s5myMPFpE50Qw6Q7o\r\noIFNIguxDyyC3saLlUvty+eohxY0JBv1ljMads9PzjtHvYjlaiB9/HCDNQhucGt3\r\nSlCKQ0bW3Sx2t4yEXHM2T0Qz+pEM2XG2Lkm7HATW34JHyKkJcdm850vxKvDX/QIN\r\nC9obv4bvpUgBZq836aT9Uu5B7LBZuMeUNJPq5WYwQOgPhitjCpXZTP1OJrT6Fh6V\r\n0+pnupgv/NqzFCbSkqa96fXM0Lo+EMzI4sWfPhTlZ+qKynr/nw0VCw7G+T1wRC7M\r\n0wIDAQAB -----END PUBLIC KEY-----\r\nAdditional Resources\r\nLearn more about ransomware adversaries in the CrowdStrike Adversary Universe.\r\nDownload the CrowdStrike 2021 Global Threat Report for more information about adversaries tracked by\r\nCrowdStrike Intelligence in 2020.\r\nSee how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from the latest\r\nvariants of ransomware in these blogs: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were\r\nProtected and Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nhttps://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/"
	],
	"report_names": [
		"new-ransomware-variant-uses-golang-packer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d272a3bd0d1ad4f30533ed6e897145af64e85ff5.pdf",
		"text": "https://archive.orkl.eu/d272a3bd0d1ad4f30533ed6e897145af64e85ff5.txt",
		"img": "https://archive.orkl.eu/d272a3bd0d1ad4f30533ed6e897145af64e85ff5.jpg"
	}
}