Goodwill ransomware group is propagating unusual demands to get the decryption key
Goodwill is one of the most recent ransomware threats. New threats are emerging daily, but this malware uses another strategy to bait victims and persuade them to pay the ransom. In detail, it uses three different social-driven activities related to charity to be able to download the decryption key.
Become a certified reverse engineer!
Digging into the details
The binary file is introduced as “Goodwill encryptor,” and a lot of information is extracted from the binary for a first look. Two interesting details are the “signature” and “compiler-stamp,” which tell us about the creation date of the ransomware — 29 March 2022 — and that it is compiled in .NET (C# v7.0). [CLICK IMAGES TO ENLARGE]
Figure 1: Goodwill description, signature, and compiler-stamp attributes.
Part of the binary is packed with UPX packer, as shown in Figure 2 below. With this technique, the ransomware operators aim to make the malware analysis process difficult because some information is obfuscated (e.g., the malware strings).
Figure 2: Goodwill packed with UPX packer.
After unpacking the binary file, a complete analysis of the ransomware source code is possible. A glance shows that the malware uses the “Costura” plugin, which allows putting together all the dependencies in the form of resources packed inside the final executable file.
The Goodwill main() function presents interesting endpoints at the header, including
- ngrok endpoint where some information about the victims’ machines is sent to
- path where the ransomware config is dropped in runtime (
C:\\Users\Public\\Windows\\UI\\)
Figure 3: Initial details and endpoint of Goodwill ransomware
When the ransomware is running, it collects some details about the infected machine and that information is sent onto a ngrok endpoint managed by the Goodwill operators.
Figure 4: Details are collected by Goodwill ransomware during its execution and sent to the ngrok endpoint.
As shown in Figure 4, some data is obtained in runtime, including:
- machine name
- computer username
- windows version
- system data
- system time
- IP address (by using api.ipify.org)
- victim geolocation (city)
- the encryption key and SystemID
Figure 5 shows the POST request to the “handshake.php” endpoint with the info collected by Goodwill ransomware.
Figure 5: POST request with the details sent to the Goodwill C2 server during the ransomware execution.
Notice that the handshake parameter is hardcoded inside the binary file with the static value: “jasmin@123”. This value is then used to validate whether the request is legitimate on the server side, as shown below with the PHP condition:
$check=$_POST['handshake'];if ($check=="jasmin@123")
{
Figure 6: Handshake.php page is used on the Goodwill C2 server.
The encryption process
Before starting the encryption process, the ransomware downloads from the C2 server a file named “alertmsg.zip” that contains the ransom note files. The ZIP is downloaded into the “C:\\Users\Public\\Windows\\UI\\” Windows folder.
Figure 7: GET request when the alertmsg.zip file is downloaded from the C2 server.
Goodwill generates a random password and creates the base64 representation. After that, the SHA256 of the base64 sequence is generated to be used as the AES encryption key with a key size of 256 and blocksize 128 in the CBC mode.
Figure 8: Goodwill encryption function (AES - CBC)
When the encryption process ends, the index.html page containing the ransomware note is launched via a launch.bat script dropped via alertmsg.zip file.
Figure 9: Goodwill ransomware note is presented via launch.bat script.
Ransomware note
To get the decryption key, the victim needs to perform three specific activities as shown below:
Figure 10: Sequence of HTML pages are linked to the Goodwill ransomware note.
After completing all the assigned activities, the details must be sent to the email using this format:
Figure 11: Email format is used to request the ransomware decryption key after completing the assigned tasks.
The decryption key is stored in a MySQL database when the handshake request is performed in the initial stage. Criminals can then get it and send it back to the victim along with the decryption tool.
Figure 12: Goodwill ransomware C2 panel is shown with the decryption key.
Ransomware protection guide
Although there is no magic formula to beat ransomware, we can take some measures to prevent incidents, including:
- Provide social engineering training, including phishing and malware to employees
- Keep software and systems updated
- Use endpoint protection solutions such as antivirus and EDR to block threats
- Use canary files/tokens to detect ransomware early
Finally, be proactive and perform cybersecurity assessments to find and mitigate weaknesses to prevent attacks in the wild both from the external and internal perspectives.
Sources:
Robin Hood ransomware, QuickHeal
Goodwill ransomware, CloudSEK
Food For Files: GoodWill Ransomware, Hackread
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis