GoldenEye Ransomware [updated]

Also Known As: GoldenEye virus
Distribution: Moderate
Damage level: Severe

GoldenEye ransomware removal instructions

What is GoldenEye?

GoldenEye is combination of Petya and MISCHA ransomware-type viruses. As with Petya and MISCHA, GoldenEye is also distributed using a spam email message. This email delivers a fake job offer with text in German and two files attached. One is a fake CV, the other, a malicious MS Excel file. If the Excel file is opened, a pop-up asking to "enable macros" appears. If user enables these macro commands, the Excel file will generate an executable file and launch the ransomware.

MISCHA and Petya differ in that MISCHA only encrypts certain files, while Petya encrypts the hard drive itself (thus, making it impossible to use the computer properly). GoldenEye, however, performs both of these tasks. Pety ransomware was designed to infiltrate the system and attempts to overwrite the system's MBR (Master Boot Record). To achive this, Petya must obtain administrative permissions. If the user denies these permissions, the encryption process simply stopped. If, however, the permissions are given, Petya modifies the MBR with a custom boot loader. Petya automatically reboots the computer, displays a fake check disk (CHKDSK) screen and encrypts the hard drive in the background. It then displays a ransom-demand message using ASCII Text Art. The message is temporarily displayed when booting the computer. MISCHA, on the other hand, does not attempt to modify the MBR - it simply encrypts files. This behavior is very common to regular ransoware-type viruses. GoldenEye performs these actions in reverse: it encrypts data and only then attempts to modify the MBR, thereby preventing victims from stopping the encryption process (by denying permissions). Following successful encryption, GoldenEye also displays a similar ransom-demand message. In addition, GoldenEye creates a text file ("YOUR_FILES_ARE_ENCRYPTED.txt", containing an identical message) and places it in certain folders (e.g., Desktop, My Documents, etc.) Furthermore, GoldenEye appends eight random characters to the name of each encrypted file (e.g., "sample.jpg" might be renamed to "sample.jpg.g8k3jmol"). The ransom-demand message informs victims of the encryption and demands a ransom payment of 1.31034193 Bitcoins (approximately $1000) for decryption. To submit payment, victims must follow instructions provided on GoldenEye's Tor website (the link is provided within the ransom-demand message). Note: paying does not guarantee that your files will ever be decrypted. Research shows that cyber criminals often ignore victims, despite payments made. Therefore, you should never attempt to contact these people or pay any ransom. There are no tools capable of restoring files encrypted by GoldenEye, however, security researchers have developed a tool that decrypts files encrypted by Petya. This situation may change, but for now, users can only resolve this problem by restoring their files/system from a backup. If GoldenEye has modified the system's MBR, restoring from a backup will not be effective.

Screenshot of a skull (drawn using ASCII Text Art) displayed after encryption:

GoldenEye decrypt instructions

There are hundreds of ransomware-type viruses. Examples include Dharma, CTB-Locker, *.osiris, ASN1, Cerber, and many others. All encrypt files and makes ransom demands. There are just two major differences: 1) size of ransom, and; 2) encryption algorithm (symmetric/asymmetric) used. Research also shows that these viruses are often distributed using spam emails (malicious attachments), peer-to-peer networks and other third party download sources (freeware download websites, free file hosting websites, etc.), unofficial software download sources, and trojans. Therefore, be cautious when opening files received from suspicious emails and downloading software from unofficial sources. Cyber criminals are capable of exploiting software bugs/flaws to infect the system. Therefore, keep your installed applications up-to-date and never use any third party update tools. Using a legitimate anti-virus/anti-spyware suite is also essential.

GoldenEye ransomware requesting administrative permissions:

GoldenEye asking for admin permissions (sample 1) GoldenEye asking for admin permissions (sample 2)

Screenshot of GoldenEye text file (YOUR_FILES_ARE_ENCRYPTED.txt):

GoldenEye text file

Text presented within GoldenEye text file:

You became victim of the GOLDENEYE RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at "hxxps://www.torproject.org/". If you need help, please google for "access onion page".
2. Visit one of the following pages with the Tor Browser: hxxp://golden5a4eqranh7.onion/oTmqRcKj hxxp://goldeny4vs3nyoht.onion/oTmqRcKj
3. Enter your personal decryption code there: oTmqRcKj6ZvwAsqewqzYz9t8smYzWLaAzsvjQ5YX8JY53FKv5nAHc7W9L4VFnwSGd8Dw4rVi2nfkPGSX39mwCerLst1Tw4vb

Screenshot of an error message displayed before the computer restart:

GoldenEye fake error

Fake CHKDSK displayed during encryption:

GoldenEye faking check disk task

Text presented within this screen:

Repairing file system on C:
The type of the file system in NTFS
One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.
WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGED IN!
CHKDSK is repairing sector - of -

Screenshot of a screen displayed after decryption:

GoldenEye screen after encryption

Screenshot of GoldenEye ransom-demand message:

GoldenEye ransom-demanding message

Text presented within this screen:

You became a victim of the GOLDENEYE RANSOMWARE!
The hard disks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at “hxxps://www.torproject.org/“. If you need help, please google for “access onion page”.
2. Visit one of the following pages with the Tor Browser:
hxxp://goldenhjnqvc2lld.onion/
hxxp://golden2uqpiqcs6j.onion/
3. Enter your personal decryption code there: -
If you already purchased your key, please enter it below.

Screenshot of GoldenEye website (Payment - Step 1):

GoldenEye website (Payment step 1)

Text presented within this page:

Step 1: Enter your personal identifier
First you have to enter your personal identifier. This code contains important informations for the decryption process. It's important that you enter it exactly like shown on the encrypted computer. The code contains a checksum, which prevents typos and ensures a successfull decryption.
The personal identifier is 96 characters long and can be found in the "YOUR_FILES_ARE_ENCRYPTED.TXT" files, which the ransomware created in several locations (e.g. Desktop, Documents) on your computer.

Screenshot of GoldenEye website (Payment - Step 2):

GoldenEye website (Payment step 2)

Text presented within this page:

Step 2: Purchase Bitcoins
Your decryption key can only be purchased with Bitcoins. Bitcoin is a digital currency which can be exchanged from nearly every normal currency. There are a lot of exchange platforms on the internet, most of them are specialized on a single currency. Today buying bitcoins online is very easy and it's getting simpler every day!
You have to purchase at least the amount shown below. It is recommended to purchase a bit more, to ensure a successfull payment. An extra of 2% should be enough. If you already own enough Bitcoins, you could skip this step.
Demand: 1.31034193 Bitcoins
The following exchanges and marketplaces are recommended:
http://www.bitcoin.de - Bank Wire FAST!
http://www.btcdirect.eu - Sofort Banking, Giropay, Bank Wire, Mastercard and Visa
http://www.localbitcoins.com - Bank Wire and Cash
http://www.coincafe.com - Instant in NYC, Bank Wire and Mail Cash, Bank Wire and Credit Card
Any kind of Bitcoin-Wallet isn't required, you can transfer the purchased bitcoins directly to the payment address. If you want create a wallet anyway, http://www.blockchain.com is recommended.
If you successfull bought the right amount of Bitcoins, click "Next" for the next step.

Screenshot of GoldenEye website (Payment - Step 3):

GoldenEye website (Payment step 3)

Text presented within this page:

Step 3: Do a bitcoin transaction
Now you have to send your purchased Bitcoins to the payment address. If you just purchased Bitcoins on a exchange or marketplace site, look for a section called "Withdraw" and enter the details shown below. If you already own Bitcoins, send the right amount to the payment address shown below, directly from the wallet you use.
If you have any problems with the transaction, feel free to contact our Support.
Address: 1CwCMCS6GUJuz45x1LrqPWAuE41cMK7FtQ
Demand: 1.31034193 Bitcoins
After you made the payment transaction, you have to wait until we manually confirm it. This process usually takes a few hours. In some rare cases some payments need more time to get confirmed. Please refresh this page to see if your payment got confirmed.

Screenshot of GoldenEye website (FAQ):

GoldenEye website (FAQ)

Screenshot of GoldenEye website (Support):

GoldenEye website (Support)

Screenshot of files encrypted by GoldenEye (".[8_random_characters]" extension):

GoldenEye decrypt instructions

GoldenEye ransomware removal:

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the GoldenEye virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


Download remover for GoldenEye virus

If you need assistance removing this ransomware, give us a call 24/7:
(866) 983-7844
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the GoldenEye ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining GoldenEye ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of GoldenEye are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by GoldenEye, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as GoldenEye ransomware.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove GoldenEye ransomware: