ShivaGood ransomware is a file locking virus that uses several other malware components

ShivaGood ransomware is malware, which first showed up in the wild back in September 2018, attacking several businesses and regular computer users. Since then a few other variants emerged, although they all append the same extension to files – .good. The attackers ask to pay a ransom in Bitcoins for the decryption tool and provide dsupport@airmail.cc, xxxsupport@protonmail.com, or badguyconsult@protonmail.com emails for communication purposes.
ShivaGood ransomware, otherwise known as Mimicry ransomware, takes numerous characteristics from different malware: the same file extension was used by Scarab-Horsia, while initial identifications of a sample pointed at Crypt0L0cker due the name of the ransom note – HOW_TO_RECOVER_FILES.txt. Nevertheless, it turned out that it has nothing to do with these two families, and its a modified version of the open-source HiddenTear ransomware, which makes it secure. In other words, ShivaGood virus-encrypted files cannot be decrypted, and the server used by hackers turns out to be dead as well, so paying a ransom is useless.
| Name | ShivaGood |
| Type | Ransomware, cryptomalware |
| Alternative names | Mimicry ransomware, .good ransomware |
| Derives from | HiddenTear – the open-source ransomware |
| Main executable | Frost.exe which is dropped into “Frenchkiss” folder |
| Encryption algorithm | Malware applies AES cipher to lock all files located on the system, although it skips .exe and system files like .sys or .dll |
| File extension | Each of the files is marked with .good extension. Encrypted example: picture.jpg.good |
| Ransom note | HOW_TO_RECOVER_FILES.txt is dropped on the desktop and all the folders where encrypted data is located |
| Contact | dsupport@airmail.cc, xxxsupport@protonmail.com, or badguyconsult@protonmail.com |
| File decryption |
Paying criminals is useless, as the server the malware is meant to contact is no longer accessible, so they will not be able to recover the data – even after the Bitcoin payment. Other options are as follows:
|
| Malware removal | Use reputable anti-malware software to get rid of ShivaGood. If not successful, you should run a different malware removal tool and/or access Safe Mode with Networking as explained below |
| Windows system recovery | In case your Windows system is crashing, returning BSODs,[1] errors and similar, you can remediate your OS with the help of PC repair software FortectIntego |
There is no precise information on how ShivaGood ransomware spreads. However, because hackers are keen to attack businesses, there is a high chance that the malware compromises servers and networks via weakly protected Remote Desktop connections. Other methods might include:
- Spam emails;
- Exploits;[2]
- Fake updates;
- Backdoors;
- Cracks, etc.;
Soon after the infection, the ShivaGood virus creates a folder named “Frenchkiss and places the frost.exe file inside it. From there, the executable is launched, and the infection of the computer, along with all the connected networks as well as servers, begins.
ShivaGood ransomware performs various modifications to the host machine, including dropping several malicious files, modifying the Windows registry, deleting Shadow Volume copies, etc. All the changes to the system are initiated for a different purpose; for example, registry modification ensures that the malware is booted with each system start while deleting of automatic Windows backups makes automatic recovery impossible. Nevertheless, after ShivaGood ransomware removal, victims can fix the damage done by the virus with the help of such tools as FortectIntego.

As soon as preparations are complete, ShivaGood ransomware locks all files with the help of the AES encryption algorithm,[3] restricting the access to all data, although the system and executable files remain untouched. Likewise, all the encrypted files are marked with .good extension.
The ransom note HOW_TO_RECOVER_FILES.txt states the following:
Your personal identifier: Y4GIE
Your important files are now encrypted due to a security problem with your PC!
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.Contact us using this email address: dsupport@airmail.cc
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click'Buy bitcoins', and select the seller by payment method and price:
https://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoinsAttention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.
As mentioned before, contacting hackers is useless, as they themselves would not be able to retrieve the required key for the data decryption. Instead, we would suggest focussing on ShivaGood ransomware removal with the help of anti-malware software, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. In case of troubles, we provide full instructions on how to enter Safe Mode if malware is preventing security tools from working correctly.
Protect the RDP and apply other precautionary measure to reduce the infection chances to a minimum
As previously mentioned, there is a high chance that malicious actors are using unprotected Remote Desktop connections to infect victims with malware. The principle of this infection method is relatively simple, as crooks employ automated software that scans the internet for poorly protected connections (those running the default TCP port 3389) and then brute-force their way in with the help of other tools. As a result, the attackers gain access remotely and install ransomware manually. RDP attacks are extremely prevalent when it comes to malware attacks on businesses and organizations. Nevertheless, regular users using the feature are also in danger, so it is important to protect RDP connections with strong passwords and correct configuration settings.
Since many ransomware developers use several different tactics for distribution, it is vital to make sure that other precautionary measures are also practiced. Security experts at dieviren.de[4] provide the following security tips:
- Backup all important data regularly;
- Equip your machine with comprehensive security software;
- Employ additional security tools like ad-blocks and a firewall;
- Patch your Windows OS along with all installed programs with security updates;
- Use strong passwords for all your accounts and never reuse them;
- Never download pirated software installers or cracks/keygens/loaders.

Delete ShivaGood ransomware before trying to recover the encrypted data
Many users are perplexed about what to do once they are hit by ransomware, as most never encountered it or never even heard of it before. As a general rule, security researchers claim that many cryptomalware viruses simply self-delete after performing the encryption routine. Nevertheless, some might also infect additional modules that steal sensitive data or remain on the system until terminated. Therefore, ShivaGood ransomware removal should always be performed.
Nevertheless, before you remove ShivaGood ransomware, you need to make a copy of encrypted files, as the process might damage them permanently – and the same goes for the recovery. Thus, copy all the encrypted data to the USB flash or a remote server, and then scan your system with anti-malware software to get rid of all the malicious components ShivaGood virus might have dropped. If the malware is tampering with your AV, access Safe Mode, as explained below.
Was this guide helpful?
Be the first to comment