Ignore already infected victim

[mauri870]

The malware need a form to recognize if the actual user is already infected and skip before trigger the encryption proccess.

My idea is something like a "lock file", a hidden file or whatever created by the malware after finish the encryption process. This file will store the encryption id to make possible the malware retrieve some information from de C&C server (this will be implemented later) and obviously after the victim unlock the files it need to be removed

I will leave this issue open for discussion and ideas

[ghost]

Adding a key to to the registry that holds the information is a good idea, for example:

Infected: True Encrypted: True or False Paid: True or False Pubkey : BTCAddr:

malware at first run will add registry value "Infected: True", then it starts to ask server about pubkey and a bitcoin address it then save it to reg Pubkey : , BTCAddr:, then after encryption complete, it will finally add values Encrypted: True, Paid: False

What do you think 💭

[mauri870]

Read my mind, go already have a package for interact with windows registry

https://godoc.org/golang.org/x/sys/windows/registry

I think this is a best approach than a simple hidden file

[ghost]

Yes, simple and easy 👍

[r3v2d0g]

Ok, but what if the user adds the keys to the registry himself so that he can't be infected ?

[ghost]

@azastrael yes i though of that, another possible way is to MD5 a combination of some hardware serials and maybe some system, but this also is not good as some of those value changes and/or can be changed by user. using this MD5 we can contact the C2C and check if it already infected/exist in the database.

[wirehack7]

Using Hardware ID, like from HDD or bios serial number.

Like: https://groups.google.com/forum/#!topic/golang-nuts/pKuFQxAy4P4