A new ransomware is in the wild that has been dubbed Gomasom (GOogle MAil ranSOM) by Fabian Wosar of Emsisoft due to its use of gmail email addresses in the encrypted file names. This ransomware is particularly destructive as it will not only encrypt data files but will also encrypt executables, which will cause almost all of your applications to no longer operate. When a user is infected with this particular ransomware their data files will be renamed to a filename like Tulips.jpg!___prosschiff@gmail.com_.crypt. The user is expected to email the address listed in the filename in order to get ransom payment instructions. Thankfully, Fabian was able create a program that can decrypt these variants as long as you have an unencrypted version of one of your files. A dedicated support topic for this ransomware and to provide assistance decrypting the files can be found here: Crypt Gomasom Ransomware (!___crydhellsek@gmail.com__.crypt) Support Topic.
It is currently unknown how this ransomware is being spread, but once installed it will create a random named malware executable in the C:\Users\User\AppData\Local\Microsoft Help\ and create an autorun for it so that it starts when you login to Windows. Once started, the ransomware will scan all drive letters for data files and executables and encrypt them. Once a file has been encrypted, it will rename them in the format of originalfilename.extension!__
If you are infected with this malware, simply download decrypt_gomasom.exe from the following link and save it on your desktop:
DecryptGomasom Download
In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_gomasom.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. If you do not have an an original version of one of your encrypted files, in our tests you can use a encrypted PNG file and any other unencrypted PNG file that you get off of the Internet and drag them together onto the decrypt_gomasom.exe icon. Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other files on your computer.
To show what I mean about dragging both files at the same time, see the example below. To create the key, I created a folder that contains an encrypted PNG file, a totally different valid PNG file, and the decrypt_gomasom.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.
When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.
The program will now brute force the key for the selected files. This could take some time, so please be patient. When a key was able to be brute forced, it will display it an a new window like the one below.
To start decrypting your files with this key, please click on the OK button. You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main DecryptGomasom screen.
To decrypt the C:\ drive click on the Decrypt button. If there are other drives or folder you wish to decrypt that are not listed, you can click on the Add Folder button to add other folders that contain encrypted files. Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process. Once you click Decrypt, DecryptGomasom will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
All of your files should now be decrypted.
For those who wish to know more technical information about this ransomware, you can read the section below. As already stated, we have created a dedicated forum topic to support the Gomasom Ransomware and to provide assistance with using this tool. This support topic can be found here: Crypt Gomasom Ransomware (!___crydhellsek@gmail.com__.crypt) Support Topic.
Files added by Gomasom:
%LocalAppData%\Microsoft Help\<random>.exe
Registry entries added by Gomasom:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "C:\Users\User\AppData\Local\Microsoft Help\<random>.exe"
HKCU\Software\<random>
Comments
Anoop0085 - 8 years ago
can we use this for .vvv extension
xXToffeeXx - 8 years ago
No, this cannot be used for TelsaCrypt (https://www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/), which is what you have.
Scarymonkey - 8 years ago
Is there any new variant out there?
A customer of mine had his work network infected over the WE . Filenames are like:
xyz.doc!---cryphelp963@gmail.com--.crypt
i compared multiple files with this tools, always got the same decryption key(got 3 different files with the very same key as result)BUT when i want to decrypt a custom folder he tells me:
"Looking for active infection...
No active infection found
Finished"
And nothing is decrypted. i already sent an email to fw@...... with example files but perhaps here is a faster way:)
i tried running the tool on my laptop and on one of his workstations and even one of his servers with always the very same result. and now i'm seeking help:)
Scarymonkey - 8 years ago
found out the error. Apparently there is a new variant out in the wild that renames to xyz.doc!---cryphelp963@gmail.com--.cypt instead of poster xyz.doc!___cryphelp963@gmail.com__.crypt and then your tool doesn’t recognize the encrypted files. After renaming it does work.
Miguelw - 8 years ago
Hello, I have this variant: sos@encryption.guru. Is there a way to decrypt the files?
michele41083 - 8 years ago
Hello, My personal files were encrypted by a ransomware identified as Gomasom. Files are now with extension *.doc.crypt, *.pdf.crypt, *.docx.crypt, *.xls.crypt, *.xlsx.crypt, *.p7m.crypt.
Is there a way to decrypt the files?
mcerdem - 8 years ago
@michele41083, did you try kaspersky decryptors and emsisoft decryptgomasom software ?
CTRLsupport - 7 years ago
I seem to have this infection (well a variant of it) all of my files now have __667755archi@gmail.com__.tar added to them. I am trying this fix now but could someone please let me know if this will work.
Thanks
fairkop - 7 years ago
I have this same variant as the previous poster: __667755archi@gmail.com__.tar
These instructions did not work for me
Nebojsha - 7 years ago
Is it necesary to log on on computer with same user that is used to install virus ?
fmogro - 7 years ago
I have ____lynxsend@gmail.com___trw
Some one have the same trouble
When i check appear Gomason but i can not decrypt