Gold ransomware belongs to the notorious Dharma ransomware family. It encrypts files, adds the [email@example.com].gold file extension, and drops the FILES ENCRYPTED.txt ransom note. The note demands that users pay a certain sum of money to get a decryptor.
What is Gold ransomware?
Gold ransomware is file-encrypting malware that belongs to the Dharma malware family. It’s one of the more dangerous pieces of malware because it encrypts files, and it’s not always possible to recover them. The ransomware gang behind this ransomware will try to sell victims the decryptor, which would supposedly decrypt the files. However, there is no way of knowing whether files would actually be decrypted, thus paying the ransom is not recommended.
The only sure way to recover files is from backup. If users had backed up files prior to their encryption, then there should be no issue with restoring them. However, users should first make sure that they delete Gold ransomware from their computers. Otherwise, those backed up files may become encrypted as well.
Unfortunately, there currently is no free way to decrypt files. Malware researchers do release free decryptors to help victims but it’s not always possible. Victims should periodically check Emsisoft and NoMoreRansom for decryption tools. And it should be mentioned that malware distributors/operators have started disguising malware as ransomware decryptors so users should be very careful about where they download decryptors from.
How does ransomware infect a computer?
Users usually infect their computers with ransomware because of bad browsing habits, such as opening spam email attachments, downloading torrents and software cracks, as well as clicking on malicious ads.
All kinds of malware are distributed via torrents sites and forums. Torrent sites are very often not regulated, which means cyber crooks can easily disguise malware as torrents for popular content like movies, TV shows, games, etc. The same goes for forums and sites promoting software cracks. By pirating and downloading torrents, users are risking infecting their computers with serious malware, which could lead to permanent file loss.
Clicking on ads while on high-risk websites can also lead to malware. Certain sites like pornography pages host dangerous ads, which if clicked could redirect to malicious sites that may try to trick users into downloading malware. To avoid getting redirected and seeing pop-ups, it’s a good idea to have adblocker enabled.
Spam emails remain one of the most common ways users infect their computers with malware. Users whose email addresses have leaked in various data breaches may often receive spam emails containing all kinds of malware attached. All it takes is opening the attached file and enabling macros. In many cases, these malicious emails are pretty obvious. For one, they are sent from nonsense email addresses, despite senders claiming to be from legitimate companies/organizations. If they contain text, it’s usually full of grammar and spelling mistakes. As long as users know what to look for, they should be able to differentiate the legitimate emails from malicious ones. However, just to be on the safe side, users should always scan unsolicited email attachments with anti-malware software or VirusTotal.
What does Gold ransomware do?
When the ransomware is initiated, it will start encrypting files. It targets the same files all ransomware does, and that includes documents, photos, videos, etc. Encrypted files will have the unique ID.[firstname.lastname@example.org].gold extension added, hence why this malware is known as Gold ransomware. For example, image.jpg would become image.jpg.uniqueID.[email@example.com].gold. Unfortunately, as soon as files are encrypted, users will be unable to open them unless they are decrypted first. To decrypt them, victims need to get the specific decryptor that is sold by the operators of this malware. How these cyber crooks want victims to purchase the decryptor is explained in the FILES ENCRYPTED.txt ransom note. A pop-up window will also display the note.
Here is the text ransom note:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email firstname.lastname@example.org YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:email@example.com
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The note displays the victim’s unique ID and asks that an email with it is sent to firstname.lastname@example.org. The ransom sum for the decryptor is not mentioned in the ransom note and would be revealed to users who contact this ransomware gang. However, it is not recommended to engage with these cyber crooks, as nothing good will come of it. It should be mentioned that many times have users paid the ransom only to receive nothing in return. Victims should keep in mind who they are dealing with before making the decision to pay.
Those who do not have backup should also be very careful about decryptors offered for free. While malware researchers do release free decryptors to help users recover files, there are plenty of malicious decryptors advertised as legitimate. Before downloading a decryptor, users should research who is offering it and make sure it’s legitimate. Users should also be very careful with services that offer to decrypt files for a fee.
Overall, the only current way to recover files for free is via backup. For those who have not backed up files, they ought to back up the encrypted files and wait for a potential decryptor to become available.
How to delete Gold ransomware
Gold ransomware removal should only be done with anti-malware software. Users manually trying to remove Gold ransomware could lead to even more damage, as ransomware is a complex infection. Once the ransomware has been deleted, users can access their backup and start recovering files.
Gold ransomware is detected as:
- Trojan.Ransom.Crysis.E by BitDefender
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Ransom.Crysis.Generic by Malwarebytes
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Ransom-Dharma!0F7B881710D6 by McAfee
- Trojan-Ransom.Win32.Crusis.to by Kaspersky