Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak

Good Day ransomware, a variant within the ARCrypter family, was first observed in-the-wild in May of 2023. Between June and August of 2023, we observed an uptick in Good Day ransomware campaigns and a proliferation of new ransom note samples in public malware repositories. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.

In this post, we expand on several unique Good Day ransom notes and victim portals and share our analysis of a sample associated with a URL leading to a known Cloak extortion site. By tying these recent Good Day campaigns to victims listed on the Cloak site, we can associate the Cloak data sales and leaks with Good Day through publicly viewable chats on the group’s TOR-based victim portals.

The discovery of such connections helps us chart the ever-dynamic relationships between existing and new vulnerabilities and threat actors. The more we can tie together these moving parts, the better chance that security practitioners have of reducing risk within their organizations.

Good Day Victim Portals Linked To Cloak Extortion Site

In July and August of 2023, we observed multiple new TOR-based URLs being staged for use by the Good Day group. Each portal is intended for a corresponding attack and specific victim. Similarly, each Good Day payload points to a specific victim portal.

Good Day (ARCrypter) victims are greeted with a ‘Good day’ welcome message when following the instructions provided in their ransom notes and opening the portal tied to the payload that encrypted their devices.

Standard Good Day victim portal
Standard Good Day victim portal

Some of the portals have been revealed in previous research by Cyble. However, analysis of a series of new ransom notes reveal that Good Day victims are also listed on the Cloak extortion blog site.

In particular, we found a series of ransom notes that all include the email address MikLYmAklY555[@]cock[.]li, which was also previously seen in AstraLocker campaigns.

Example of a Good Day ransom note seen in Aug. 2023
Example of a Good Day ransom note seen in Aug. 2023

At the time of writing, victim chats on the Good Day portals remain publicly accessible. Within these publicly accessible chats, we can see the threat actors communicating data to the victim.

In the case of sample d5fba798bb2a0aaca17f17fa14f2ff240be8d34d (associated ransom note: 7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a) the threat actor communicates the URL of the blog where they intend to leak the victim’s data, which turns out to be the URL of the Cloak blog site. They also mention specific company names that can be found on the Cloak blog site.

The Cloak leak site first appeared in August of 2023 and currently lists 23 victims. Many of these victims are marked as “sold” and their respective data is not currently accessible on the surface.

Cloak victim blog
Cloak victim blog
Individual victim listing on Cloak blog
Individual victim listing on Cloak blog

Our analysis shows that Good Day ransomware victims are being threatened with having their data leaked or sold on the Cloak website. This intimidation tactic is amplified by the daunting list of “sold” victim companies that currently appear on the site. The threat actors leverage this and other intimidation tactics to coerce the victim into paying the ransom.

Regarding targeting, we also note that victims listed on the Cloak leak site indicate some amount of geographical focus. The main countries targeted are Germany, Italy, Taiwan, and France.

Good Day Ransomware Sample Analysis

In sample d5fba798bb2a0aaca17f17fa14f2ff240be8d34d, the ransom instructions point to a TOR-based victim portal at

47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion.

This sample masquerades as a Microsoft Windows Update executable (WindowsUpdate.exe). The ransomware is designed to be launched via a dropper or script, aligning it with past ARCrypter activity. The /START parameter is required to fully launch the ransomware.

Good Day masquerading as a legitimate Microsoft utility
Good Day masquerading as a legitimate Microsoft utility

The identifying strings that we expect to see in the ARCrypter family are also visible in this sample.

ARCrypt's "tell" strings
ARCrypt’s “tell” strings

This particular payload issues a User Access Control (UAC) prompt in order to elevate privileges when launched.

UAC Prompt from ransomware payload
UAC Prompt from ransomware payload

Once running, the malware will attempt to enumerate all local volumes to encrypt. This includes the use of wNetOpenEnum to identify available shares. In addition, the malware will enumerate all running processes.

Volume enumeration in Good Day
Volume enumeration in Good Day

The ransomware attempts to remove volume shadow copies (VSS) using the following command:

vssadmin.exe delete shadows /all /quiet
Volume Shadow Copy (VSS) Removal in Good Day
Volume Shadow Copy (VSS) Removal in Good Day

Affected files are renamed with the .crYptA or .crYptB extensions post-encryption. This pattern can extend up to .crYptE following the alphabet in series with the final letter in the extension.

Encrypted files with ".crYptA" extension
Encrypted files with .crYptA extension

The Good Day ransomware then delays execution of the payload via the following hidden command:

¬/c TIMEOUT /T 2>NUL&START /b "" cmd /c DEL "C:\Windows\explorer.exe" &DEL "WindowsUpdate.exe.exe" &EXIT
Storyline™ view of calls to timeout.exe (delayed execution/evasion)
Storyline™ view of calls to timeout.exe (delayed execution/evasion)

The ransomware also attempts to determine whether it is running in a specific debugger. The search list includes S-Ice.exe, ImmunityDebugger.exe, x64dbg.exe and others.

Good Day debugger search list
Good Day debugger search list

The malware contains a hardcoded list of folders and files that are to be excluded from encryption.

Good Day Exclusions list
Good Day Exclusions list

SentinelOne Protects Against Good Day (ARCrypter) Ransomware

The SentinelOne Singularity™ Endpoint platform detects and prevents malicious behaviors and artifacts associated with Good Day/ARCrypter ransomware.

Conclusion

Tracking the inputs and outputs of extortion groups is a significant part of the puzzle as we continue to research the growing web of threat actors. It always helps to be able to tie pieces together where they are not directly apparent.

Observing the URLs found in ransom notes and the existing structure of the victim blog sites, we are able to firmly establish the nature of the tie between Good Day and the Cloak leak site. The latest payloads for Good Day have yet to build on their ARCrypter roots, but we will continue to monitor this group and their payloads.

To learn about how SentinelOne can help protect the devices in your fleet from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Payload
d5fba798bb2a0aaca17f17fa14f2ff240be8d34d

Ransom Notes
7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a
7ef712604fca6ad5a368745a015354aba74f5f61
a3ff2d575adc8edb088706e1de1a18a2d789cd73
c374252e4cff08e3abcda06503998cd3d3ef8322

URLs

cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion
dcpuyivlbzx56hqwsvey33bxobxw3timjgljjy3index6qvdls5bjoad[.]onion
wwwieqvblhnel7wsb6jpxeen3dbmsqyozj2gzl2oyn6swrkq27jtusqd[.]onion
47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion
zxzs677rphmjznqgqzlsmjtqwqlydq47rwjesrt4dkkh6cc2ftlfhuqd[.]onion