Summary
In March 2022, researchers spotted a new ransomware family named GoodWill, with a new method to collect the ransom. Instead of requesting payment through crypto coins like other threats such as Night Sky or Hive, GoodWill requests that its victims help vulnerable people by following a sequence of steps, such as donating clothes, feeding less fortunate children, or providing financial assistance to hospital patients.
To prove these actions, the attacker requests the victim to record the good deeds and post the images/videos on Facebook, Instagram, WhatsApp or other social media.
But is GoodWill really a new ransomware family? After analyzing a few samples, Netskope Threat Labs found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Aside from GoodWill, we also discovered other ransomware variants that were sourced from Jasmin. However, it is unclear if these files are weaponized samples, given the nature of the tool and the fact that we have not seen any evidence that attackers are using GoodWill or any of the variants we found in the wild. It is also possible that attackers could use this source code to easily create weaponized variants.
In this blog post, we will analyze the Jasmin ransomware tool and compare the code / operation with other samples found in the wild, including GoodWill.
Open-Source Project
Jasmin Ransomware is a tool that can be used by security teams to simulate ransomware attacks. It provides teams all the necessary infrastructure to conduct an attack, such as the source code to generate payloads, and front/back-end files for the web server.
Once running, Jasmin collects information about the environment and generates the key that will be used in the encryption process, sending this information to the C2 server. To decrypt the files, the victim must contact the attacker, who is in possession of the key.
The project contains the source code for the encryptor and the decryptor, which were created with C#. It also provides all the files related to the web panel, which uses PHP and MySQL.
Jasmin payloads can be generated through Visual Studio 2019 or later, and the developer suggests the usage of ngrok for port forwarding in the C2 server side.
Jasmin also provides a dashboard that the attacker can use to access information about infected devices and retrieve the decryption keys. The webpage is password-protected.
When setup for the first time, Jasmin populates the database with dummy data. The dashboard provides details about infected devices, such as the machine name, username, IP address, date of infection, location, OS and the decryption key.
Jasmin “Ransom Note”
Let’s take a look at what happens when a machine is infected by Jasmin ransomware. Within the “Web Panel” folder on GitHub, there’s a file named “alertmsg.zip”, which is downloaded by the ransomware upon execution. The ZIP file contains an offline web page that is displayed to the user after the infection.
In the main page, there’s a message saying to the victim to not be worried, as the files are safe.
The “What Happened to My Computer?” button leads to a description of Jasmin, stating that all user files were encrypted.
In the following page, Jasmin ransom states that it’s not seeking money, but to perform good actions for less fortunate people.
These good actions required by Jasmin are divided into three different activities. The first one asks the victim to donate new clothes or blankets.
The second activity requires Jasmin victims to bring five less fortunate children under 13 years old to a restaurant and let them order the food they want.
The third and final activity requires victims to provide medications to hospital patients.