Some lucky users are about to have a merry Christmas.Users that had the bad luck of getting infected with the Gomasom ransomware can now start sending Christmas gifts to Fabian Wosar, security researcher at Emsisoft, who managed to create a tool for decrypting files locked by this ransomware.
Compared to other ransomware families, Gomasom is a relatively new face on the malware market, rearing its ugly head only in the last few weeks.
Gomasom, named after “GOogle MAil ranSOM“, works by infecting users, and then encrypting files, leaving a Gmail address in each file’s name, and adding the .crypt file extension at the end.
Mr. Wosar created a tool that users can use to analyze encrypted files and obtain the decryption key. Once the decryption key is in the user’s possession, he can use the same tool to decrypt all his files.
The best decryption results are achieved when the user has access to a file, in both its ransomware-encrypted and original version. If not, then don’t worry, because users can take a PNG file encrypted with the ransomware, and compare it to a random PNG file from the Internet. Results may vary for this method though, and if you have GBs of encrypted data, the decryption process may take some time, even more than a day.
The Gomasom decryption tool is available from Emsisoft’s website, and usage instructions can be found on a Bleeping Computer forum thread.
Drag 2 PNG images over the tool at the same time to start the decryption key extraction process