FANDOM


Good is a ransomware that belongs in the Dharma family.

Payload

Transmission

Good can be distributed through infected email attachments (macros), torrent websites, and malicious ads.

Infection

Good appends 

filenames with the ".good" extension (hence its name) during encryption. For instance, .good renames "sample.jpg" to "sample.jpg.good". Encrypted data immediately becomes unusable. As well as file encryption, .good displays a pop-up window and stores the "RETURN FILES.txt" text file on the desktop.

As with most Dharma variants, .good uses a text file and pop-up window to inform victims of the current situation. The text file contains a short message stating that data is encrypted and that victims must contact criminals to restore it.

The pop-up window delivers much more detail. It states that data is encrypted using the RSA-1024 algorithm and that recovery requires a unique decryption key. Unfortunately, this information is accurate. RSA-1024 is asymmetric cryptography which generates two keys (public [encryption] and private [decryption]) for each victim. Decrypting files without the private key is impossible.

Criminals hide the keys on a remote servers and blackmail victims for their release - to receive their key and recover data, each victim must a ransom. The cost is not specified - these details are provided via email, however, it is states that the ransom must be paid within seven days after encryption, otherwise the key is overwritten by other victims' keys. The keys are permanently deleted and developers are no longer able to restore encrypted data.

Victims are also allowed to attach emails with one selected file (up to 1 MB, non-archived). Criminals will decode the file and return it as a 'guarantee' that they are capable of file decryption.

Text presented in Good pop-up window:

All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, 
WRITE US TO THE E-MAIL onecrypt@aol.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:onecrypt@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT 
MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR 
EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less 
than 1Mb (non archived), and files should not contain valuable information. 
(databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent 
data loss.
Decryption of your files with the help of third parties may cause increased price (they 
add their fee to our) or you can become a victim of a scam.
Community content is available under CC-BY-SA unless otherwise noted.