The Golden Axe ransomware doesn't appear to be inspired by the 1989 Sega classic of the same name. However, there's no way of knowing. The threat actors behind this crypto-ransomware variant disseminated Golden Axe sometime in March, and it was discovered by Twitter user @tkanalyst on March 17, 2019. @tkanalyst noted that the ransomware payload was distributed via malvertising. Once executed, the ransomware performs its assumed actions by encrypting files and dropping a ransom note. However, Golden Axe has a few unique characteristics. The first is that the file extension used is a unique 5-alphanumeric sequence that is calculated dynamically; therefore, each time you run the ransomware, you will end up with a different 5-character string. This string is used to append to the end of encrypted files and is used in the ransom note names, of which there are three:
- an image of a ransom note: # instructions-<5-alphanumeric character ID>.jpg
- a ransom note text file: # instructions-<5-alphanumeric character ID>.txt
- a VBS file that, when executed, plays a soundbite letting you know your files have been encrypted: # instructions-<5-alphanumeric character ID>.vbs
The only known sample we found is denoted by the SHA-256 hash: c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2. We analyzed the UPX packed sample, unpacked it, and extracted a few characteristics, which are shown below. It was written in GoLang and used a hybrid encryption technique with the RC4 stream cipher encrypting the files and RSA encrypting the RC4 cipher key.
![Golden Axe-RansomNote-c40ba[TXT]](/sites/default/files/ransomware-images/Golden%20Axe-RansomNote-c40ba%5BTXT%5D.png)
![Golden Axe-RansomNote-c40ba[TXT]-2](/sites/default/files/ransomware-images/Golden%20Axe-RansomNote-c40ba%5BTXT%5D-2.png)
![Golden Axe-RansomNote-c40ba[JPG]](/sites/default/files/ransomware-images/Golden%20Axe-RansomNote-c40ba%5BJPG%5D.png)
![Golden Axe-RansomNote-c40ba[VBS]](/sites/default/files/ransomware-images/Golden%20Axe-RansomNote-c40ba%5BVBS%5D.png)