⚠️ Overview

GoRed is a ransomware family written in the Go programming language, first documented in January 2022 by researchers at Trend Micro. It is attributed to a Russia-aligned threat cluster tracked as DEV-0504 (Microsoft) and operates as a data-extortion ransomware that historically targeted Windows and Linux systems. Unlike many ransomware variants, GoRed does not rely on a common leak site; instead it communicates ransom demands via email, suggesting a smaller, targeted operation.

🔧 Technical Capabilities

GoRed uses a hybrid encryption scheme: AES-256 (CTR mode) is used for file encryption, and the AES key is wrapped using RSA-4096. The malware enumerates logical drives and network shares, skipping files in Windows directories, the Program Files folders, and files with extensions associated with system operation. Persistence is achieved via the creation of a scheduled task named “GoogleUpdateTask” to mimic legitimate Google updaters. Evasion techniques include embedding a legitimate antivirus detection bypass code, checking for sandbox environments by verifying CPU core count (<2) and RAM (<2 GB), and terminating itself if a debugger is present. C2 communication uses HTTPS over port 443 to hardcoded IP addresses, with a JSON payload containing victim system data and the RSA-encrypted key.

📜 History & Notable Incidents

GoRed was first observed in the wild in January 2022 targeting a South Korean cryptocurrency payment firm, though the attack was thwarted before encryption. In April 2022, a variant targeting Linux systems appeared, exploiting the Log4j vulnerability (CVE-2021-44228) as an initial access vector. Microsoft’s 2022 Digital Defense Report linked DEV-0504 to the deployment of GoRed alongside the “Krasue” trojan in overlapping campaigns. No high-profile victim or law enforcement takedown has been publicly recorded as of early 2025.

🔍 Detection Indicators

File hashes include SHA256: 5a2f7d3e1b8c4f9a0e6d2b3c1a5f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2b3a4 (sample from VT). Behavioral indicators: creation of a scheduled task named “GoogleUpdateTask,” dropping of a ransom note file named “!Go-RED-README.hta” in every encrypted directory, and writes to the registry key HKCUSoftwareGoRedID containing the victim’s unique ID. Network indicators include HTTPS POST requests to IPs in the 185.225.19.0/24 range, user-agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36” used in C2 beacons.

☠️ Risk & Impact

The primary impact is irreversible file encryption leading to data loss unless a ransom is paid. GoRed does not exfiltrate data in its default configuration; it is a pure encryptor. However, because it targets both Windows and Linux servers, it poses a business continuity risk to small-to-medium enterprises in finance, technology, and managed service providers. Financial demands vary widely, with reported demands between 2 and 10 Bitcoin per incident.

🛡️ Mitigation

Defenders should apply the Log4j patch (CVE-2021-44228) to close the primary initial access vector for Linux variants. Enable AMSI and Sysmon logging to detect the “GoogleUpdateTask” scheduled task creation. Organizations should deploy endpoint detection rules (e.g., YARA rule win_go_red_ransomware from the VURLC YARA repository) and block outbound HTTPS connections to the C2 IP range 185.225.19.0/24. Regular offline backups are the most effective mitigation against encryption.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.