Trojan.Encoder.6491 targets Windows OS and is the first recorded ransomware variant that is written in Go, the programming language developed by Google. Its method of distribution is currently unknown. Encoder’s malicious executable file is named Windows_Security.exe. It targets 140 different file types and encrypts them using AES-256. Encoder even encrypts the file names using the Base64 method and then appends .enc to the files. It regularly checks the attacker’s Bitcoin wallet to determine whether or not the payment has been made by the victim and, if it has, Encoder automatically decrypts the files. Encoder demands a ransom payment of 0.052300 Bitcoin.

  • Dr. Web provides more information about Trojan.Encoder.6491 here.
  • Dr. Web has created a decryption tool for Trojan.Encoder.6491, but only provides free decryption service for Dr. Web customers who have purchased commercial licenses for the company’s products.