Good Day ransomware, a variant within the ARCrypter family, was first observed in-the-wild in May of 2023. Between June and August of 2023, we observed an uptick in Good Day ransomware campaigns and a proliferation of new ransom note samples in public malware repositories. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.
In this post, we expand on several unique Good Day ransom notes and victim portals and share our analysis of a sample associated with a URL leading to a known Cloak extortion site. By tying these recent Good Day campaigns to victims listed on the Cloak site, we can associate the Cloak data sales and leaks with Good Day through publicly viewable chats on the group’s TOR-based victim portals.
The discovery of such connections helps us chart the ever-dynamic relationships between existing and new vulnerabilities and threat actors. The more we can tie together these moving parts, the better chance that security practitioners have of reducing risk within their organizations.
Good Day Victim Portals Linked To Cloak Extortion Site
In July and August of 2023, we observed multiple new TOR-based URLs being staged for use by the Good Day group. Each portal is intended for a corresponding attack and specific victim. Similarly, each Good Day payload points to a specific victim portal.
Good Day (ARCrypter) victims are greeted with a ‘Good day’ welcome message when following the instructions provided in their ransom notes and opening the portal tied to the payload that encrypted their devices.
Some of the portals have been revealed in previous research by Cyble. However, analysis of a series of new ransom notes reveal that Good Day victims are also listed on the Cloak extortion blog site.
In particular, we found a series of ransom notes that all include the email address
MikLYmAklY555[@]cock[.]li, which was also previously seen in AstraLocker campaigns.
At the time of writing, victim chats on the Good Day portals remain publicly accessible. Within these publicly accessible chats, we can see the threat actors communicating data to the victim.
In the case of sample
d5fba798bb2a0aaca17f17fa14f2ff240be8d34d (associated ransom note:
7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a) the threat actor communicates the URL of the blog where they intend to leak the victim’s data, which turns out to be the URL of the Cloak blog site. They also mention specific company names that can be found on the Cloak blog site.
The Cloak leak site first appeared in August of 2023 and currently lists 23 victims. Many of these victims are marked as “sold” and their respective data is not currently accessible on the surface.
Our analysis shows that Good Day ransomware victims are being threatened with having their data leaked or sold on the Cloak website. This intimidation tactic is amplified by the daunting list of “sold” victim companies that currently appear on the site. The threat actors leverage this and other intimidation tactics to coerce the victim into paying the ransom.
Regarding targeting, we also note that victims listed on the Cloak leak site indicate some amount of geographical focus. The main countries targeted are Germany, Italy, Taiwan, and France.
Good Day Ransomware Sample Analysis
d5fba798bb2a0aaca17f17fa14f2ff240be8d34d, the ransom instructions point to a TOR-based victim portal at
This sample masquerades as a Microsoft Windows Update executable (
WindowsUpdate.exe). The ransomware is designed to be launched via a dropper or script, aligning it with past ARCrypter activity. The
/START parameter is required to fully launch the ransomware.
The identifying strings that we expect to see in the ARCrypter family are also visible in this sample.
This particular payload issues a User Access Control (UAC) prompt in order to elevate privileges when launched.
Once running, the malware will attempt to enumerate all local volumes to encrypt. This includes the use of
wNetOpenEnum to identify available shares. In addition, the malware will enumerate all running processes.
The ransomware attempts to remove volume shadow copies (VSS) using the following command:
vssadmin.exe delete shadows /all /quiet
Affected files are renamed with the
.crYptB extensions post-encryption. This pattern can extend up to
.crYptE following the alphabet in series with the final letter in the extension.
The Good Day ransomware then delays execution of the payload via the following hidden command:
¬/c TIMEOUT /T 2>NUL&START /b "" cmd /c DEL "C:\Windows\explorer.exe" &DEL "WindowsUpdate.exe.exe" &EXIT
The ransomware also attempts to determine whether it is running in a specific debugger. The search list includes
x64dbg.exe and others.
The malware contains a hardcoded list of folders and files that are to be excluded from encryption.
SentinelOne Protects Against Good Day (ARCrypter) Ransomware
The SentinelOne Singularity™ Endpoint platform detects and prevents malicious behaviors and artifacts associated with Good Day/ARCrypter ransomware.
Tracking the inputs and outputs of extortion groups is a significant part of the puzzle as we continue to research the growing web of threat actors. It always helps to be able to tie pieces together where they are not directly apparent.
Observing the URLs found in ransom notes and the existing structure of the victim blog sites, we are able to firmly establish the nature of the tie between Good Day and the Cloak leak site. The latest payloads for Good Day have yet to build on their ARCrypter roots, but we will continue to monitor this group and their payloads.
Indicators of Compromise
cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion dcpuyivlbzx56hqwsvey33bxobxw3timjgljjy3index6qvdls5bjoad[.]onion wwwieqvblhnel7wsb6jpxeen3dbmsqyozj2gzl2oyn6swrkq27jtusqd[.]onion 47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion zxzs677rphmjznqgqzlsmjtqwqlydq47rwjesrt4dkkh6cc2ftlfhuqd[.]onion