Goodwill Ransomware, identified by CloudSEK researchers in March 2022, is known to promote social justice on the internet. It is known to encrypt documents, databases, videos, or photos after it infects the whole system. The files become inaccessible for the victims, where Robinhood’ Goodwill’ asks the victim to donate for socially driven activities to get their files back. For example: ‘Goodwill Ransomware forces victims to donate new clothes to the homeless, provide financial assistance to the poor, and many more. They then ask victims to post it online.
However, a few more ransomware have other motives to force victims to do some act to retrieve their infected files. Quick heal published a blog about Sarbloh Ransomware related to the Farmer Protests and was not demanding any ransom. Similarly, Goodwill ransomware acts as a Robin Hood and forces victims to help the poor. Let us look into more detail about this ransomware and how the attacker gets hold of the files in the system.
Let us analyse the hash (MD5: cea1cb418a313bdc8e67dbd6b9ea05ad). This is a .NET Compiled file. This executable is packed with Fody; hence we can see only the main routine.
We can also observe references to Costura.
Fig 1: Costura References
This Costura is a plugin for Fody that allows the developers to embed all the dependencies in the form of resources packed inside the final dotNET executable.
It can be seen in the above image how the embedded dependencies are fetched and unpacked.
Upon execution it connects to URL hxxp[:]//9855-13-235-50-147.ngrok[.]io/alertmsg[.]zip and downloads alertmsg.zip file into location: C:\Users\Public\Windows\Ui
All the content related to Ransom notes and encryption information is in the zip file. This executable coordinates with the contents of the zip. It encrypts the files with the extension “.gdwill.”
To recover the files, 3 activities need to be performed as shown below:
Fig 3: Ransom note
After completing all the given activities, the details must be sent to the email in the below format:
Fig 4: Email Format
The ransomware attackers ask the victims to provide convincing evidence for the activities to prove it done. After which, the person orchestrating this threat will provide a decryption tool to recover the stolen files. Let us look at how the threat actors hack and encrypt the files via the given below snapshot.
Fig 6: Encryption
1.GeneratePassword: A password is randomly generated and then base64 encoded. The SHA256 of this base64 encoded data which later forms the key for encryption (AES)
2. GenerateSystemId: SystemID of the victim’s machine is obtained
3. CheckConnection: Pings google.com and checks if the internet is working
4. MakeConnection: Uploads the password and SystemID to the server along with location and IP
5.RetrieveFiles: AES Encryption is done on files with extension with a key generated in Step1 .pptx,.docx,.xlsx,.txt,.pdf,.500,.jpeg,.jpg,.png
6. AlertingUser: Launches index.html(containing ransom note) via launch.bat present in the alertmsg.zip
Fig 7: Batch file for alert
This malware also sleeps for a few seconds to bypass the analysis.
At last, it was found that this ransomware was derived from an Open-source Jasmin Encryptor, which can be found on https://github.com/codesiddhant/Jasmin-Ransomware.
To keep ourselves secure from such attacks, follow the great saying “Prevention is better than Cure”! The infection vector is usually in the form of mails, so do not open attachments from an untrusted sender. Do not enable macros in the Doc received mainly from correspondences. Avoid clicking on unverified links and those in spam emails. Keep your software and antivirus updated. Always remember to back up your data so that you can recover it even in case of a ransomware attack.
In the content above, we have looked into how Goodwill Ransom is related to Open-source Jasmin. It has modified the open-source for, e.g., In Jasmin, files are encrypted with the “.jasmin” extension, whereas GoodWill files are encrypted with “.gdwill.” In Jasmin, hosted points to localhost, whereas Goodwill points to external C2. This ransomware was unique because of its charitable nature instead of demanding money. The strings present in the file, such as “Error h bhaiyya,” seems that the routes of this hack were generated in India.
Indicators of compromise (IOC)