DECAF is a Golang based ransomware. It is written in golang 1.17 in which a new complex mechanism of parameter passing to a function is adopted. This protect it form reserve engineering more difficult. Every file in the systems in encrypted in the file system whose size is less than 4GB. Its uses AES-CBC-128 for encryption. A file marker 0xDADFEEDBABEDECAF
is append to the encryoted files so it wont get encrypted again. All encrypted files extension are appened with .decaf
, hence the name.
DECAF Ransomware Signatures
DECAF Ransomware Download