A new ransomware, dubbed BlackCocaine or EpsilonRed, written in Go language has been discovered. It has already targeted an India-based IT firm, Nucleus Software, that provides its services to the banking and financial services sector. The attack was discovered on May 30 and subsequently investigated by researchers.

What has happened?

According to researchers, BlackCocaine operators have their own site that was registered recently at the beginning of the group’s operations. Its payload was compiled on May 29.
  • WHOIS information for its site (hxxp://blackcocaine[.]top) reveals that the domain was registered on May 28 and Nucleus Software is the first victim.
  • In addition, researchers reported that a file named a[.]BlackCocaine was submitted to different public sandboxes. It uses server-side encryption to lock user data and demand ransom.
  • Moreover, it performs file system enumeration while encrypting victims’ files and adds the .BlackCocaine extension to encrypted files. It uses RSA and AES encryption methods.
  • The payload file is a UPX-packed 64-bit Windows executable file and implements various anti-debugging and anti-VM techniques. It’s written in Golang and compiled with the MinGW tool.

Other ransomware written in Go

BlackCocaine is not the only malware written in Golang. This programming language has seen a recent rise in popularity among malware authors.
  • Epsilon Red is new ransomware written in Golang and was delivered as the final executable payload in a human-controlled attack.
  • Last month, a report provided detailed information regarding the evolution of the JSWorm ransomware family. Its programming language was changed from C++ to Golang in 2020.


BlackCocaine is the latest addition to the ransomware landscape and has displayed exceptional sophistication in its tactics, techniques, and procedures. With the rising threat posed by ransomware, it is imperative for everyone to maintain at least basic cybersecurity hygiene, such as using strong passwords, enforcing multi-factor authentication, and using shared indicators to prevent any infection.

Cyware Publisher