Tranium wiper: static analysis of a Go binary

Tranium is a 6 MB Go binary that encrypts files with AES-CBC, overwrites the MBR on three physical drives, and corrupts 30+ system files including the registry hives and boot chain. It triggers a Blue Screen of Death and sets the desktop wallpaper to a photo of an American YouTuber. The source file is named wiper.go. There are no wallet addresses, no contact email, no .onion URL, no payment mechanism of any kind. Every vendor that detects it calls it ransomware.

It is not ransomware. Even if the encryption key could be recovered, the MBR is gone. The boot chain is destroyed, the registry hives are corrupted, and the system files required to start Windows no longer exist. The machine will not boot. This is a wiper.

If you operate a threat intelligence platform with API access and can provide a researcher account, please reach out to kirk@derp.ca. Additional data sources directly increase the quality and coverage of the threat intel published here.

Binary identification

Kaspersky detects it as VHO:Trojan-Ransom.Win32.Agent.gen. Microsoft calls it Ransom:Win32/Genasom. huorong labels it Ransom/LockFile.mf. All generic ransomware signatures. No vendor identifies it as a wiper or assigns a family name.

The binary was compiled from a single source file in the Downloads folder with symbols stripped. Go 1.26.0 was released on 2026-02-10, one month before the sample appeared. The .symtab section, zeroed PE timestamp, and linker version 3.0 are standard Go compiler markers.

Function map

The main package contains 29 functions named main.a1 through main.a29 (no a21), plus main.main, main.boxWndProc, and main.createMessageBoxClass. We mapped every function to its behaviour using GoReSym virtual address boundaries and RIP-relative LEA cross-references against the string blob.

main.main orchestrates the execution. It prints "Hello Tranium," displays "Where hath your files gone?" in a custom window, includes the string "Good luck.", and calls the 29 functions roughly in sequence. The execution chain is:

Mutex check (a1)
  -> Defender kill (a2)
  -> Shadow copy / recovery destruction (a3)
  -> UAC bypass via fodhelper (a4)
  -> Persistence: Run/RunOnce keys (a6)
  -> Persistence: startup folder (a8)
  -> Persistence: scheduled tasks x3 (a9)
  -> Persistence: Windows service (a10)
  -> Persistence: IFEO debugger hijack (a11)
  -> Persistence: BootExecute (a12)
  -> Taskbar hiding (a13)
  -> File download: wallpaper + audio (a14)
  -> MBR overwrite (a15)
  -> Raw disk overwrite, second pass (a16)
  -> System file corruption (a17)
  -> User directory + system component wipe (a18)
  -> Full system lockdown: 16+ policies (a19)
  -> Wallpaper and audio setup (a20)
  -> Certificate store manipulation (a24, a25)
  -> File encryption: AES-CBC via goroutines (a26)
  -> Audio playback (a27)
  -> BSOD trigger (a28)
  -> Final boot cleanup (a29)

The ordering matters. Tranium destroys the MBR and corrupts system files before it encrypts user data. By the time the encryption goroutines finish, the machine is already unrecoverable. The encryption is a cosmetic layer on top of irreversible destruction.

Encryption

main.a26 is the encryption orchestrator. It spawns goroutine workers (main.a26.func1, 6.1 KB) that perform AES-CBC encryption using Go's crypto/cipher stdlib. The AES S-box, inverse S-box, and Rcon tables are present in the .data section at their standard offsets.

Key generation uses crypto/rand -- the OS CSPRNG. Both CryptProtectData and CryptUnprotectData are imported, indicating the key is stored via DPAPI. The binary also links decryption routines (NewCBCDecrypter, CryptBlocks). In theory, the key could be recovered from DPAPI if the user profile is intact.

In practice, the boot chain is destroyed before the user could attempt recovery. The registry hives (SAM, SYSTEM, SOFTWARE, SECURITY, DEFAULT) that DPAPI depends on are among the files corrupted in main.a17.

No file extension for encrypted files was found in the binary. A search for .tranium, .locked, .encrypted, .enc, .crypt, and other common ransomware extensions returned nothing. Files may be overwritten in place without renaming.

MBR and disk destruction

main.a15 opens \\\\.\\PhysicalDrive0, \\\\.\\PhysicalDrive1, and \\\\.\\PhysicalDrive2 for direct write access, along with raw volume handles \\\\.\\C: and \\\\.\\D:. The MBR is overwritten on all three drives.

main.a16 performs a second raw disk overwrite pass on the C: and D: volumes. This is separate from the MBR operation -- it targets the volume data directly.

main.a29 handles final boot cleanup after everything else has run: bootmgr, ntldr, pagefile.sys, and hiberfil.sys.

System file corruption

main.a17 (4.4 KB) and main.a18 (5.3 KB) between them target over 30 files and directories:

Boot chain:

bootmgr, bootmgr.efi, BOOTNXT, bootsect.bak
winload.exe, winload.efi, winresume.exe, winresume.efi
bootvid.dll, BCD-Template, boot.ini

System executables:

ntoskrnl.exe, hal.dll, smss.exe, winlogon.exe, wininit.exe

Registry hives:

SAM, SYSTEM, SOFTWARE, SECURITY, DEFAULT

Filesystem and storage drivers:

ntfs.sys, fastfat.sys, partmgr.sys, volmgr.sys, volmgrx.sys

Configuration:

win.ini, system.ini, hosts

User directories (main.a18): Desktop, Documents, Downloads, Favourites, Pictures, Videos, Music, Contacts, Searches, OneDrive, Saved Games, 3D Objects. Also targets system components: CodeIntegrity, DriverStore, catroot2, dllcache, SysWOW64.

The string "Good luck." appears in main.a17.

Recovery destruction

Before any persistence or encryption begins, main.a3 eliminates recovery options:

cmd.exe /c wmic shadowcopy delete
cmd.exe /c vssadmin delete shadows /all /quiet
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmd.exe /c bcdedit /set {default} recoveryenabled no

System Restore is disabled via the SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore registry key.

Persistence

Ten mechanisms across six functions:

The scheduled task persistence (#6) uses a triple-nesting technique. The outer task creates the middle task, the middle creates the inner, and the inner runs the payload every minute as SYSTEM with highest privileges. Deleting one task leaves the others to recreate it.

The IFEO hijack (#8) replaces the Debugger value for five accessibility tools. Pressing Shift five times at the lock screen, clicking the on-screen keyboard, or launching any of these utilities will execute Tranium instead.

Defence evasion and system lockdown

main.a2 disables Windows Defender:

DisableAntiSpyware = 1
DisableRealtimeMonitoring = 1
DisableBehaviorMonitoring = 1
DisableOnAccessProtection = 1

main.a19 (1.2 KB) applies a full system lockdown via 16+ registry policies:

main.a13 hides the taskbar by calling FindWindow on Shell_TrayWnd.

Certificate manipulation occurs in main.a24 and main.a25 -- certificates are added to both the ROOT and AuthRoot stores.

Wallpaper, audio, and the YouTuber connection

main.a14 downloads two files from up to four sources:

The wallpaper is a 225x225 BMP -- a selfie photo of Tranium, an American YouTuber with 1.3 million subscribers who makes virus testing content. The binary sets this as the desktop wallpaper via SystemParametersInfoW and the Control Panel\Desktop\Wallpaper registry key. The string "Hello Tranium" appears in main.main. The malware is named after him.

The audio file (bat.wav) is 145.9 seconds of PCM 16-bit stereo at 44100 Hz (24.5 MB). main.a27 plays it via PlaySoundW.

Ransom dialog

main.createMessageBoxClass registers a custom window class called BoxClass via RegisterClassExW. The window procedure main.boxWndProc renders a BMP image using BitBlt and StretchBlt.

No text rendering APIs are present -- DrawTextW, TextOutW, BeginPaint, CreateFont, and SetTextColor are all absent. The "ransom note" is the downloaded BMP itself, displayed as an image. The text "Where hath your files gone?" appears in the string blob but is not rendered via GDI text functions.

BSOD trigger

main.a28 calls RtlAdjustPrivilege to acquire SeShutdownPrivilege, then triggers a Blue Screen of Death via NtRaiseHardError. The binary also imports ExitWindowsEx and InitiateSystemShutdownExW as additional shutdown paths.

Infrastructure

All network traffic is HTTPS on port 443. The thegumonmyshoe.me URL includes an MD5 auth token and epoch expiry (1773117667, approximately 2026-03-07). No C2 channel exists -- these are download-only URLs for the wallpaper and audio files.

The residential Verizon FIOS IP (71.179.14.4) appeared in sandbox network flows.

No related samples were found on any platform. Domain searches, IP searches, tag searches, and GitHub source searches all returned zero results. This appears to be a single build from a single author.

IOC summary

Network

Host

Hashes

Registry

Behavioural

Assessment

Tranium uses AES-CBC encryption with DPAPI key protection, MBR overwriting across three physical drives, raw volume data destruction, and system file corruption targeting the boot chain and registry hives. It adds IFEO debugger hijacking on five accessibility tools, the fodhelper UAC bypass, BootExecute persistence, and a forced BSOD via NtRaiseHardError. 10 persistence mechanisms. 16+ lockdown policies.

The source file is named wiper.go, compiled from a Downloads folder, with no payment infrastructure. The wallpaper is a photo of a YouTuber who tests malware on camera. 9 of 76 vendors detect it. All of them classify it as ransomware.

A YARA rule (Tranium_Wiper) is available at github.com/kirkderp/yara (opens in new tab).

See also: IronChain, GhostWeaver.