Ransomware - Golden Axe

Golden Axe
Decryptor Available

The Golden Axe ransomware doesn't appear to be inspired by the 1989 Sega classic of the same name. However, there's no way of knowing. The threat actors behind this crypto-ransomware variant disseminated Golden Axe sometime in March, and it was discovered by Twitter user @tkanalyst on March 17, 2019. @tkanalyst noted that the ransomware payload was distributed via malvertising. Once executed, the ransomware performs its assumed actions by encrypting files and dropping a ransom note. However, Golden Axe has a few unique characteristics. The first is that the file extension used is a unique 5-alphanumeric sequence that is calculated dynamically; therefore, each time you run the ransomware, you will end up with a different 5-character string. This string is used to append to the end of encrypted files and is used in the ransom note names, of which there are three:

  • an image of a ransom note: # instructions-<5-alphanumeric character ID>.jpg
  • a ransom note text file: # instructions-<5-alphanumeric character ID>.txt
  • a VBS file that, when executed, plays a soundbite letting you know your files have been encrypted: # instructions-<5-alphanumeric character ID>.vbs

The only known sample we found is denoted by the SHA-256 hash: c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2. We analyzed the UPX packed sample, unpacked it, and extracted a few characteristics, which are shown below. It was written in GoLang and used a hybrid encryption technique with the RC4 stream cipher encrypting the files and RSA encrypting the RC4 cipher key.

Ransomware Type
First Seen
Last Seen
Extortion Types
Direct Extortion
File Extension
<file name>.<5-alphanumeric character ID>
Ransom Note Name
# instructions-<5-alphanumeric character ID>.jpg
# instructions-<5-alphanumeric character ID>.txt
# instructions-<5-alphanumeric character ID>.vbs
Samples (SHA-256)
References & Publications
Elastio: Golden Axe
The Crypto-Ransomware Digest: Golden Ax ransomware