GO Language Based Ebyte Ransomware – A Brief Analysis

EXECUTIVE SUMMARY

At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. This report provides a concise analysis of EByte Ransomware, highlighting its techniques, impact, and potential risks.

A new ransomware variant, written in Go Language, employs ChaCha20 for encryption and ECIES for secure key transmission, encrypting user data, and modifying the system wallpaper. The developer – EvilByteCode, who has a history of creating multiple offensive security tools – has made EByte Ransomware publicly available on GitHub. Although claimed to be for educational purposes, its misuse could lead to severe legal consequences, such as the ransomware’s ability to establish persistence, execute unauthorized commands, and communicate via C2 infrastructure posing significant cybersecurity risks.

INTRODUCTION

CYFIRMA has observed a new open-source Ransomware “Ebyte Ransomware” developed in Go, which has been shared on GitHub and designed to target Windows systems, utilizing advanced encryption methods (and adding a unique file extension to encrypted files).

The ransomware utilizes a combination of ChaCha20 and ECIES encryption to securely lock files, making them unrecoverable through traditional recovery methods, with decryption only possible using the designated decryptor.

ANALYSIS

Main Server.go

This Go program sets up a web server for the Ebyte-Locker application, initializing a database connection using database.InitDB(), ensuring data persistence. The http.FileServer serves static front-end files from the ./frontend directory. Several API endpoints (/dashboard-data, /launch, /graph-data, /mini-graphs-data, and /generate-locker) are handled by respective functions from the handler’s package. The server listens on port 8080, logging when it starts, and logs any fatal errors if the server fails to start (hXXp://localhost[:]8080).

Execution – User Execution: Malicious File: The presence of the /launch and /generate-locker endpoints indicates the potential generation of executable payloads. Once exploited, these endpoints allow adversaries to execute unauthorized code on a target system. Malicious actors use this functionality to deploy ransomware lockers.

Persistence – Server Software Component: The web server, once started, remains active and continuously processes incoming requests. If configured for unauthorized access, it allows attackers to maintain persistence within a compromised environment by serving payloads or executing commands remotely, and the database (database.InitDB()) ensures data persistence, which could be misused to store attacker-controlled configurations (or maintain access credentials).

Command and Control – Application Layer Protocol: The API endpoints such as /dashboard-data, /graph-data, and /mini-graphs-data facilitate structured data exchange and are leveraged to exfiltrate data, receive commands, or establish communication between a compromised system and an attacker’s C2 infrastructure. The use of HTTP for communication aligns with C2 techniques where adversaries use standard web traffic to blend in with legitimate activity.

Defense Evasion – Indicator Removal on Host: If the database contains logs or operational data, a compromised version of this application could be manipulated to delete or alter logs, preventing forensic analysis. An attacker with access to database operations could modify stored data to hide malicious activities.

Encryption Execution (main.go)

• Locker ID Transmission: Sends a unique locker ID and a timestamp to a remote server (eg: hXXp://localhost[:]8080/launch). This is used for tracking infections or managing decryption keys remotely.
• Drive Scanning & Encryption: Detects all available drives (C:, D:, etc.) and encrypts files recursively in each drive using filewalker.EncryptDirectory().
• Wallpaper Modification: Downloads a ransom wallpaper via PowerShell and uses Windows API (user32.dll) to set it as the desktop background.

Security Risks & Impact

• Full Disk Encryption: Encrypts all files except system-critical ones, making user data inaccessible.
• Persistence & C2 Communication: Sends victim data to a control server, potentially allowing remote tracking.
• Evading Detection: Excludes executable and system files, reducing the chance of triggering antivirus software.

Encrypter

EByte Locker is designed to encrypt files on a system and modify the desktop wallpaper. Below is a breakdown of its key functionalities:

Configuration Module (configuration Package)

• Excluded Files & Directories: The ransomware avoids encrypting critical system files (boot.ini, bootmgr, etc.) and system directories (windows, system32, etc.) ensuring system stability while targeting user data.
• Encryption Extension: Files are renamed with the “.EByteLocker” extension after encryption.

• Ransom Note “Decryption Instructions.txt”: A predefined ransom message informs victims that their files are encrypted and can only be restored by paying a ransom in cryptocurrency. It cautions against modifying or renaming the encrypted files, as this may render them unrecoverable. The note also provides an email address for the victim to contact the attackers and negotiate payment.

• Wallpaper Modification: An Ebyte-Locker ransom wallpaper is downloaded from a remote URL [which is currently unavailable].

Encryption Module (encryption Package)
File Encryption:

• Uses ChaCha20 stream cipher for encryption [ChaCha20’s stream-based approach allows for byte-by-byte encryption, enabling the pattern of 1 byte encrypted, 2 bytes unencrypted.]
• The encryption key and nonce are generated and encrypted using Elliptic Curve Integrated Encryption Scheme (ECIES) for secure transmission [ECIES offers similar security to RSA with shorter key lengths, making it a more efficient choice] [eg:1740114202992611500]
• The ransomware reads the file, encrypts its content in chunks, and overwrites it.
• The encrypted key and nonce are stored along with the encrypted file data.

Decrypter

EByte-Rware-Decryptor is designed to reverse the encryption performed by EByte Locker.

Configuration Module (configuration Package)

• Excluded Directories: As the program skips encryption it also skips decryption for critical system directories (e.g. Windows, System32, program files).
• Private Key: Stores the ECIES private key, which is essential for decrypting files.
• Encrypted Extension: The tool targets files with the “.EByteLocker” extension.

Decryption Module (decryption Package)

• Reading Encrypted Files: Opens the target files, Reads the encrypted content, and extracts the encrypted key, encrypted nonce, and ciphertext. These components were previously stored in a structured format, separated by ||.
• Decrypting the Key and Nonce: Uses ECIES (Elliptic Curve Integrated Encryption Scheme) to decrypt the encryption key and nonce using the stored private key.
• Reversing Encryption (ChaCha20 Decryption): Initializes a ChaCha20 cipher using the decrypted key and nonce, Applies XOR operation to decrypt the ciphertext, and restores the original file content.
• Restoring Decrypted Files: Overwrites the encrypted file with the decrypted content and ensures proper truncation and file writing to maintain integrity.
• Recursive Decryption: Calls filewalker.DecryptDirectory(“/”), decrypting all files in the system.
• Wallpaper Restoration: Resets the system wallpaper to its default location (C:\Windows\Web\Wallpaper\Windows\img19.jpg), Uses PowerShell and Windows API (user32.dll) to revert the ransomware’s custom wallpaper.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The developer of Sryxen – aka ThunderKitty stealer, ThunderKitty Ransomware, Shellcode Loader, and multiple other projects – has developed new Ransomware by the name of Ebyte and made it publicly available on GitHub.

The developer has been active since 2023 and has knowledge of multiple languages like C, C++, go, D, and others.

The developer “EvilByteCode” has claimed to be a Purple Team Cyber Security enthusiast.

The developer has a Telegram channel which is currently not active, and an active Discord channel with over 174 members.

The dashboard offers information on unlocking chats, logging in, and other features. Users can purchase the source code for educational and research purposes by contacting the author on Telegram.

EByte Locker has been identified as a ransomware variant inspired by Prince Ransomware, with the author explicitly crediting Prince Ransomware as its foundation.

Programming Language & Encryption: Both Prince and EByte Locker are written in Go language and utilize ChaCha20 and ECIES encryption algorithms.

Similar Ransom Note & Contact Information: The ransom notes in both ransomware variants share similarities in structure and contact email ID.

Identical Ransom Note Format: Both ransomware variants save their ransom notes under the same filename, “Decryption Instructions.txt.”

Matching Ransomware Wallpaper Message: The wallpaper for both ransomware displays the same warning: “All of your important documents have been encrypted. In order to decrypt them, find Decryption Instructions.txt.”

MITRE ATTACK FRAMEWORK

CONCLUSION

EByte Ransomware represents an emerging threat, leveraging strong encryption techniques and persistent mechanisms to compromise systems. Its public availability raises concerns about potential misuse by threat actors, despite being labeled as an educational project. The ransomware’s capabilities, including file encryption, C2 communication, and evasion techniques, highlight the need for proactive cybersecurity measures. Organizations should focus on regular backups, endpoint security, and user awareness training to defend against such threats. Continuous monitoring and threat intelligence are essential to staying ahead of evolving ransomware tactics.

RECOMMENDATIONS

Strategic Recommendations:

• Adopt a Zero Trust Security Model – Implement least privilege access and continuously verify users and devices before granting access to sensitive data or systems.
• Strengthen Threat Intelligence Capabilities – Leverage real-time threat intelligence to monitor emerging ransomware trends and proactively defend against evolving threats.
• Enhance Cyber Resilience – Develop a comprehensive incident response (IR) and business continuity plan (BCP) to minimize operational disruption from ransomware attacks.

Management Recommendations:

• Endpoint Detection and Response (EDR) Deployment: Utilize advanced EDR solutions to detect and mitigate suspicious activities associated with ransomware.
• Patch Management and System Hardening: Regularly update operating systems, applications, and third-party software to close vulnerabilities that ransomware exploits.
• Employee Security Awareness Training: Conduct regular phishing simulations and security training to educate employees on ransomware risks and safe cybersecurity practices.
• Network Segmentation and Access Control: Restrict lateral movement of ransomware within the organization by segmenting critical networks and enforcing multi-factor authentication (MFA).

Tactical Recommendations:

• Disable Unnecessary Services and Ports: Close unused remote desktop (RDP) ports and administrative access points to reduce attack surfaces.
• Implement Application Whitelisting: Restrict execution of unauthorized software to prevent EByte Ransomware payloads from running on endpoints.
• Conduct Regular Threat Hunting: Actively search for indicators of compromise (IoCs) and unusual network traffic related to EByte Ransomware and its variants.
• Enable Logging and Forensic Capabilities: Maintain detailed security logs, SIEM monitoring, and anomaly detection to facilitate forensic analysis and rapid incident response.
• Monitoring File Extension Changes: Set up alert mechanisms for suspicious file extension changes, especially to high-risk extensions like “.Ebytelocker”

INDICATORS OF COMPROMISE