In response to a breach believed to be in the form of GoodMorning ransomware,
we would like to confirm the situation and provide a warning as follows.

GoodMorning ransomware

The ransomware in question is called GoodMorning and appears to be changing all files with the file name.extension.goodmorning.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• When encrypted with C++-based ransomware, it is copied to the AddataLocal location and registered under the name “BrowserUpdateCheck” in the startup program registry (User's RunOnce item). When encryption is complete, a command bat file is created in the Temp (temporary folder) location and all shadow copies / Windows RDP connection records / event logs are deleted.

  
  [Figure 3 Ransomware executable file registered in startup program registry and ransomware copied to corresponding location]

  
  [Figure 4 Static code that creates and executes a command bat file in a temporary folder when encryption is completed]

  
  [Figure 5 bat file created in temporary folder and its contents]

Infection results

The guidance file <how_to_back_files.html> is created in each folder, and the encrypted files are changed to <file name.extension.goodmorning>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Watch the GoodMorning blocking video