TurtleRansom

Summary
Ransomware specimen developed in Go in its early stages of development
Class
Ransomware
Class Summary
Ransomware is a form of malicious software that encrypts files on your device, making them inaccessible. The attacker then demands a ransom to decrypt the files. If ransomware is detected, make note that there is no guarantee the attacker will provide the decryption key upon paying the ransom. Disconnect the affected system from your network to prevent the spread of the ransomware, and consult with a security specialist. Regular backups are key in recovering from ransomware attacks.
Description

TurtleRansom is a ransomware developed in Go, capable of encrypting common files like .doc, .docx, and .txt. It utilizes Go's crypto AES library for encryption with a hardcoded key wugui123wugui123 which can also decrypt due to the symmetric algorithm used. TurtleRansom loads files into memory, encrypts them using AES, appends a .TURTLERANSv0 extension, and overwrites the file contents with the encrypted data. In its current phase, this ransomware poses a low risk to users due to Apple's built-in security but indicates that malware authors are evolving toolsets to target macOS.

References
Example Hashes
  • aad142a701e8b27278477e52582d2b7e49cda1f4
    VirusTotal
  • 264a7608b986f2aa163ee173828d7f1d44061a54
    VirusTotal