[MART] - Daily Diary #524 - GoodWill Ransomware - Part 2

CTAS-MAT ctas-mat at appgate.com
Thu Jun 2 22:21:38 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/02/2022 - Diary entry #524:

Last week, a new ransomware strain named GoodWill was discovered. Unlike other ransomware, GoodWill was supposedly not interested in extorting money from victims, but rather in promoting "social justice". This discovery was widely replicated by news outlets (including around the world) and therefore, it was covered in our Daily Diary #520. Our team then started to investigate it further and we found out that this GoodWill ransomware is a modification from an open-source red teaming simulation project.

Known as Jasmin, and created by an Indian developer, the open-source project has the same code as the reported GoodWill sample, although GoodWill only encrypts files with ".txt" and ".pdf" extensions. According to the project, "Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. The project is divided into a decryptor, an encrypter (used to build the GoodWill), and a web panel. The web panel works as a dashboard to receive the "infected" devices' information. After encrypting all targeted files, it downloads a ZIP file from a Ngrok server (recommended by the project for port forwarding) containing a set of files (HTML, CSS, etc) that are used as a ransom note.

GoodWill's default ransom note is exactly the same as the original project. It demands good actions in order to decrypt the files. Therefore, this was a kind of joke purposely created by the Jasmin ransomware author, since it is used for simulating ransomware attacks. Additionally, IP addresses extracted from the GoodWill sample were traced back to an Indian-based IT security solutions company that provides end-to-end managed security services.

GoodWill source is not the best option for threat actors to re-use code from because it relies only on AES symmetric encryption by default, making trivial the task to create a decryptor. To use GoodWill with malicious intents, Threat Actors need to at least implement additional asymmetric encryption as other Ransomware groups do. From our investigation we conclude that GoodWill is a sample stemmed from the Jasmin Ransomware project and that it was probably just used on red teaming simulation activities by a company, being mistakenly assigned as malicious.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220602/e43b954c/attachment.htm>

More information about the MART mailing list