Good can be distributed through infected email attachments (macros), torrent websites, and malicious ads.
filenames with the ".good" extension (hence its name) during encryption. For instance, .good renames "sample.jpg" to "sample.jpg.good". Encrypted data immediately becomes unusable. As well as file encryption, .good displays a pop-up window and stores the "RETURN FILES.txt" text file on the desktop.
As with most Dharma variants, .good uses a text file and pop-up window to inform victims of the current situation. The text file contains a short message stating that data is encrypted and that victims must contact criminals to restore it.
The pop-up window delivers much more detail. It states that data is encrypted using the RSA-1024 algorithm and that recovery requires a unique decryption key. Unfortunately, this information is accurate. RSA-1024 is asymmetric cryptography which generates two keys (public [encryption] and private [decryption]) for each victim. Decrypting files without the private key is impossible.
Criminals hide the keys on a remote servers and blackmail victims for their release - to receive their key and recover data, each victim must a ransom. The cost is not specified - these details are provided via email, however, it is states that the ransom must be paid within seven days after encryption, otherwise the key is overwritten by other victims' keys. The keys are permanently deleted and developers are no longer able to restore encrypted data.
Victims are also allowed to attach emails with one selected file (up to 1 MB, non-archived). Criminals will decode the file and return it as a 'guarantee' that they are capable of file decryption.
Text presented in Good pop-up window:
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL firstname.lastname@example.org IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:email@example.com YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.