Tranium

Tranium is a destructive Windows wiper written in Go that has been misidentified by some antivirus products as ransomware because it performs real AES-CBC file encryption. The available analysis indicates it is a wiper, not true ransomware, because it first renders the system unbootable and destroys recovery paths before encrypting data, and it lacks any payment mechanism such as a wallet address, contact email, Tor site, or C2-based extortion workflow. The malware is described as a ~6 MB PE32+ x86-64 Go binary compiled from a single source file named wiper.go, with stripped symbols, and no related samples were reportedly found, suggesting a single build from a single author.

Its destructive behavior includes overwriting the master boot record on \.\PhysicalDrive0, \.\PhysicalDrive1, and \.\PhysicalDrive2; performing additional raw overwrite operations against \.\C: and \.\D:; corrupting more than 30 critical system files; destroying Windows boot-chain components including bootmgr, bootmgr.efi, winload.exe/winload.efi, winresume.exe/winresume.efi, and BCD-Template; and corrupting the registry hives SAM, SYSTEM, SOFTWARE, SECURITY, and DEFAULT. It also deletes shadow copies via wmic and vssadmin, disables recovery with bcdedit, disables System Restore, and ultimately forces a BSOD using NtRaiseHardError after acquiring SeShutdownPrivilege. The encryption stage uses AES-CBC with a random key obtained from the operating system and stored via Windows DPAPI, but the malware also destroys the registry hives DPAPI depends on, making recovery impractical in practice.

Tranium implements extensive persistence and system lockdown. Reported persistence mechanisms include Run and RunOnce keys in HKLM and HKCU, copying itself to the Startup folder, three nested scheduled tasks that recreate one another, creation of a Windows service, BootExecute modification for pre-boot execution, and IFEO debugger hijacks for sethc.exe, osk.exe, magnify.exe, narrator.exe, and utilman.exe to trigger execution from the lock screen. It also disables Windows Defender through multiple policy values, turns off UAC, uses the fodhelper UAC bypass for silent privilege elevation, and applies 16+ restrictive registry policies to disable tools and functions such as Task Manager, regedit, cmd, Control Panel, Run, search, folder options, shutdown, log off, and right-click menus.

The malware includes user-facing impact elements. It downloads a wallpaper image and an audio file over HTTPS, sets the desktop wallpaper to a selfie of the American YouTuber 'Tranium,' plays approximately 145.9 seconds of audio, and displays a custom ransom dialog rendered as an image rather than text. Mentioned strings include 'Hello Tranium,' 'Where hath your files gone?', and 'Good luck.' The reported infrastructure consists of a custom domain, autism.lat, behind Cloudflare and several generic file-hosting services used to serve the wallpaper and audio; no broader command-and-control channel was described.

High-confidence indicators and metadata mentioned in the content include SHA-256 06430cf9e0ec9fb5b783db7c01fd59bd651d8877143fc45d2bcd7e4dedaf94a6, MD5 5dc62f4c65df422f1e7a0e691b1a075b, direct drive targets \.\PhysicalDrive0 through \.\PhysicalDrive2, and the published YARA rule name Tranium_Wiper. AV detections cited in the content are generic ransomware labels, including Kaspersky VHO:Trojan-Ransom.Win32.Agent.gen and Microsoft Ransom:Win32/Genasom.