Good Day ransomware (ARCrypter) campaigns expanded in 2023 with TOR-based victim portals and ties to the Cloak extortion site. The findings connect Good Day ransom notes, victim portals, and Cloak data leaks through public chats on the portals. #GoodDay #ARCrypter #Cloak #AstraLocker #Tor #Germany #Italy #Taiwan #France
Keypoints
- Good Day is an ARCrypter variant that gained visibility in 2023, with a surge of campaigns and new ransom notes.
- Each Good Day victim is served a TOR-based portal specific to that target, and each payload points to its own portal.
- Some ransom notes include the MikLYmAklY555[@]cock[.]li email, a signature previously seen in AstraLocker campaigns.
- Publicly accessible victim chats reveal threat actors discussing data leaks to the Cloak blog site, tying Good Day to Cloak data sales/leaks.
- The Cloak site lists victims (23 at the time) with many marked as “sold,” used as intimidation to pressure payment.
- Target geography shows focus on Germany, Italy, Taiwan, and France.
MITRE Techniques
- [T1090.003] Proxy – Tor – TOR-based victim portals used for command and control and data exfiltration via onion services. ‘a TOR-based victim portal’ and related onion domains are referenced in the analysis.
- [T1548.001] Abuse Elevation Control Mechanism: UAC – The payload issues a User Access Control (UAC) prompt in order to elevate privileges when launched. ‘The payload issues a User Access Control (UAC) prompt in order to elevate privileges when launched.’
- [T1036] Masquerading – The ransomware masquerades as a Microsoft Windows Update executable (WindowsUpdate.exe). ‘masquerades as a Microsoft Windows Update executable (WindowsUpdate.exe).’
- [T1486] Data Encrypted for Impact – The malware enumerates local volumes to encrypt the data on the system. ‘Once running, the malware will attempt to enumerate all local volumes to encrypt.’
- [T1027] Obfuscated/Encrypted Files and Information – Encrypted files are renamed with the .crYptA or .crYptB extensions post-encryption. ‘Encrypted files are renamed with the .crYptA or .crYptB extensions post-encryption.’
- [T1057] Process Discovery – The malware enumerates all running processes. ‘enumerate all running processes.’
- [T1083] File and Directory Discovery – Volume enumeration is performed to identify targets for encryption. ‘Volume enumeration in Good Day’ (as shown in the visuals) and related discovery steps.
- [T1490] Inhibit System Recovery – The malware deletes volume shadow copies (VSS) to hinder recovery. ‘vssadmin.exe delete shadows /all /quiet’
- [T1567.002] Exfiltration to Web Services – Data leaks are planned to be posted on the Cloak blog site, a web service-based leak platform. ‘leak the victim’s data … the Cloak blog site.’
- [T1497] Virtualization/Sandbox Evasion – The sample checks for debuggers (S-Ice.exe, ImmunityDebugger.exe, x64dbg.exe) to avoid analysis. ‘The search list includes S-Ice.exe, ImmunityDebugger.exe, x64dbg.exe and others.’
Indicators of Compromise
- [Payload] – d5fba798bb2a0aaca17f17fa14f2ff240be8d34d
- [Ransom Notes] – 7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a, 7ef712604fca6ad5a368745a015354aba74f5f61, a3ff2d575adc8edb088706e1de1a18a2d789cd73, c374252e4cff08e3abcda06503998cd3d3ef8322
- [URLs] – cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion, dcpuyivlbzx56hqwsvey33bxobxw3timjgljjy3index6qvdls5bjoad[.]onion, and 2 more onion URLs