Cybersecurity blog header

Golang opens the door to full-blown ransomware

Ransomware developed with Golang has raised concerns in the cybersecurity community

In recent months, several malicious codes developed with Golang have appeared. This «open source» programming language allows cross-compiling for other platforms and operating systems with great ease, which would allow attacking multiple platforms with the same effort

It was not created as an offensive tool. On the contrary. But Golang, the open source language developed just over a decade ago by three Google programmers, could end up becoming a powerful ally of hostile actors. Of the numerous ransomware groups that inhabit the shadows of the Web.

For now, these are just signs. Timid signs. But very disturbing.

In recent months, some ransoms developed with Golang have been appearing. With all that this implies. Mainly, its versatility to adapt to all kinds of platforms and operating systems.

For the moment, the impact of these malwares has been very limited. But the warning is already there. Recently, Ekans (also known as Snake and developed with Golang) demonstrated the versatility of this ransomware, in its case, with a very specific focus on industrial systems.

And those working in the cybersecurity universe are guessing at the dangers that could be unleashed if this first generation evolves.

To understand why Golang could unleash a storm in the future, you have to go back to the genesis: to the birth of this programming language.

Robert Griesemer, Rob Pike and Ken Thompson presented their project to Google in 2007. They wanted to address the shortcomings detected in other languages. Some were very efficient at compiling code, others were very simple to program. Some stood out for their speed of execution.

None, however, condensed these three virtues. Go Programming Language, popularly known as Golang, was going to solve the equation.

Google liked what it heard. And it provided the means to make the project a reality.

Since then, Golang has been growing. Thanks to the firm commitment of the multinational, but also thanks to the drive of a very active community that participates in its development and optimization.

And it’s precisely this constant improvement that has set off alarm bells in the world of cybersecurity.

Multiplatform potential

Most especially because of the potential of one of the hallmarks of this programming language. Its ease of operation on all kinds of platforms and, therefore, to adapt to a large number of heterogeneous targets.

When ransomware is developed for Windows with another language, its attack capability is very limited to that operating system and underlying platforms. ç

If the hostile actor wants to bring this malicious code to Linux computers and ARM architecture, he will have to start almost from scratch and chop up many thousands of lines of code.

In short, redo the work all over again.

Golang helps to overcome this limitation. José Lancharro, the director of BlackArrow, Tarlogic’s offensive and defensive services division, explains it very graphically: «With Golang you can create a kind of all-terrain ransomware. You can jump to all platforms with almost the same lines of code».

Golang allows attacking multiple platforms

With an even more disturbing peculiarity. It’s able to penetrate even cell phones. Because with Go you can compile the ransomware for ARM processors, the most common architecture in both iOS and Android terminals.

Also in embedded systems such as routers or even virtual assistants. Everyday gadgets that number in the millions across the planet.

«We have no evidence that this is going to be exploited -argues Lancharro- but by design a very dangerous door has been opened to make the leap to cell phones and embedded systems with very few changes».

Behind this versatility to be deployed on all kinds of platforms is the very nature of the programming language. A dynamic that the bad guys are starting to take advantage of.

A ransom created with Golang doesn’t need to take advantage of the resources of the system it’s going to penetrate. Something that does happen when the malware has been designed for Windows or Linux.

Heavier, more harmful

It’s true that with Golang the bug is heavier because it incorporates the code to execute all the routines necessary to carry out the attack. But, in exchange, it adapts to a large number of systems.

In other words, it allows an exponential increase in the attack surface.

In addition, although these ransoms are larger, they are relatively agile in the development phase. Why? Because Golang is designed to take advantage of packages developed by third parties with relative ease.

With some differences, this is a similar dynamic to the one that arises in development with React, Angular or Vue. Languages in which it’s possible to use external frameworks that significantly speed up programming work.

The director of BlackArrow insists that, for the time being, the ransomware developed with Golang had a very limited impact.

But they have pointed down a disturbing path. «A door has been opened to new platforms that didn’t have specific malware. This doesn’t mean they are already being explored, but a breeding ground is being created».

From a cybersecurity point of view, Lancharro points out that teams such as those at BlackArrow or Tarlogic are already studying the scale of a phenomenon that could change the rules of the game.

And he says that they are developing protections and tools for the eventual evolution of ransomware if its development with Golang becomes widespread.

The next big cybersecurity battle could be just around the corner…

Discover our work and cybersecurity services at