GoodMorning Ransomware

During the examination of malware threats, cybersecurity researchers have identified a particularly formidable ransomware known as GoodMorning. Upon infiltrating a system, GoodMorning engages in a process of file encryption that impacts a broad spectrum of file types present on the targeted device. As part of its distinctive signature, the ransomware appends the '.goodmorning' extension to the original filenames of the encrypted files. Subsequently, the threat leaves behind a ransom note named 'how_to_back_files.html.'

To illustrate the file renaming methodology employed by GoodMorning, it transforms filenames such as '1.png' into '1.jpg.goodmorning,' and '2.pdf' into '2.png.goodmorning,' demonstrating a consistent alteration of file extensions. It is noteworthy that the meticulous analysis conducted by cybersecurity experts has established GoodMorning as a variant within the Globe Imposter Ransomware family. This classification indicates a connection to a broader category of ransomware with shared characteristics and behaviors.

The GoodMorning Ransomware Seeks to Extort Its Victims by Taking Their Data Hostage

The ransom note issued by the GoodMorning Ransomware communicates a dire situation, asserting that vital data has undergone encryption and can only be restored through the use of a decryptor. The ransom demand specifies a payment of 1.5 BTC, equivalent to over 75,000 USD. However, considering the volatile nature of Bitcoin, the exact price could change drastically in a short period of time.

Instructions are provided on how to acquire Bitcoin from platforms like Binance or Coinbase, and payment is expected to be directed to a specified BTC wallet, the details of which are furnished after contacting the attackers. Emphasis is placed on strict adherence to these instructions, warning that any deviation may result in the irreversible loss of funds.

Contact details, including a ToxID and a link for TOXChat download, are also provided to victims of the threat. The ransom note warns that failure to comply with the payment demands will lead to the sale of collected corporate files and databases to third parties or their public exposure. The attackers outline their course of action if victims refuse payment, involving organizing auctions on DarkNet sites to sell leaked files and direct contact with potential buyers to offer compromised information for sale.

The cybercriminals emphasize the importance of direct communication to avoid intermediary services that may mislead and retain payments from the victims. The note assures victims that direct communication ensures successful negotiations and underscores a commitment to polite and mutually beneficial interactions.

Despite the coercive nature of the ransom note, users are highly discouraged from paying the ransom due to the inherent risks involved. The attackers' promises of file restoration upon payment lack guarantees. Furthermore, prompt removal of ransomware from compromised systems is highlighted as crucial to minimize the potential for further damage, including additional file encryption.

Boost the Security of Your Devices Against Ransomware and Malware Attacks

Ransomware attacks continue to be a persistent threat in the digital landscape, causing potential data loss and financial harm to users. Strengthening your defense against such unsafe activities is imperative. Here are five essential security measures that users can implement on their devices to bolster protection against ransomware attacks.

• Regular Backups: Conduct regular backups of your critical data on external drives or secure cloud platforms. In the unfortunate episode of a ransomware attack, having up-to-date backups enables swift recovery without succumbing to extortion.
•  Software Updates: Keep your operating system, security software, and applications updated. Timely updates patch vulnerabilities that ransomware may exploit, enhancing your device's overall security posture.
•  Email Vigilance: Be watchful when dealing with emails, especially those containing unexpected attachments or links. Phishing emails are a common ransomware delivery method. Try not to access suspicious links and verify the authenticity of unexpected emails before taking any actions.
•  Quality Security Software: Install reputable anti-malware software. Configure these tools to conduct regular scans and update their databases consistently. Reliable security software can detect and thwart ransomware threats before they compromise your system.
•  Network Security Measures: Strengthen your network security by using firewalls and implementing intrusion detection/prevention systems. Restricting unauthorized access to your network helps prevent the spread of ransomware within your system, safeguarding critical files.

Implementing these security measures can significantly enhance your device's resilience against ransomware attacks. By combining proactive measures, user vigilance, and the right security tools, users can minimize the risk of falling victim to ransomware and protect their valuable digital assets. Stay informed, stay secure.

The whole text of the ransom note dropped to devices infected by the GoodMorning Ransomware is:

'YOUR PERSONAL ID

ENGLISH
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

TO RESTORE FILES YOU WILL NEED A DECRYPTOR!
To get the decryptor you should:

Pay for decrypt your network 1.5 BTC ( this is price for all PC/Servers in your corporate NetWork ! )

Buy BTC on one of these sites
hxxps://binance.com
hxxps://www.coinbase.com
Any site you trust

BTC Wallet for pay: 3Disq313 (full wallet ask from support) !Attention! to payout wallet specifically for your company must begin with and finish with symbols indicated above, if you are offered any other wallet - know it's not us, but someone else! do not pay anything- you just lose money.

Our contact:

ToxID: CA04B61C320C50D12A2C1B95B506247 4B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D

You can download TOXChat here : hxxps://tox.chat/download.html

The message must contain your Personal ID! it is at top of this document.

Also, your corporate files and databases have been stolen from your network. In case of non-payment, we reserve the right to sell them to third parties or publish them in public resouses.

HOW IT WORKS:
In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties.
Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately.

If there are no buyers willing to buy, we simply publish everything that we have in public resources.

Attention!

If you need a decrypter or return information, please contact us directly, avoid communicating with helper-services, they often take money and do not send it to us, assuring customers that deal failed through no fault of theirs. At same time, leaving money to yourself, and client is informed that money were transferred to us. The guarantee of a successful deals is only a direct contact! If you decide to negotiate not own - we can request confirmation of the negotiator's authority directly from the company. Please do not ignore these requests - otherwise negotiations will reach an impasse and problem not will be resolved. Don't shy… It's just business for us and we are always ready for polite and mutually beneficial communication.'