This ransomware forces victims to do acts of goodwill to get their files back

A screenshot of the GoodWill ransomware

We are always hearing about ransomware that encrypts systems and then demands a payment from victims, usually in the form of cryptocurrency, to get their data back. But it appears that a new strain of ransomware has now emerged that asks users perform acts of good in order to decrypt their environments.

CloudSEK's Threat Intelligence Research team has recently identified a ransomware that goes by the name of "GoodWill". In order to receive a decryption key, the victim has to perform acts of kindness such as feed the less fortunate, provide them blankets, and offer money to people at hospitals. In total, there are three activities that a victim must engage in so they can recover their data.

A screenshot of the demand made by GoodWill ransomware

As can be seen above, the first activity requires you to provide clothes and blankets to needy people on the side of the road and make a video of yourself doing this. This video also has to be posted to social media in order to encourage others. This information then has to be emailed to the attackers as evidence of completion.

A screenshot of the demand made by GoodWill ransomware

Then, the second activity requires you to feed five children from fast food chains and treat them well while doing it. The victim also has to take selfies with them and again post these photos and video on social media. An image of the restaurant bill along with links to the social media posts then has to be sent to the attacker.

A screenshot of the demand made by GoodWill ransomware

Finally, the third activity forces you to go to a hospital and pay for the medical treatment of those in need of financial assistance. Selfies have to be taken with these people too and the audio conversation has to be recorded as proof. Then, a "beautiful article" about this has to be posted on social media and you have to explain to people how becoming a ransomware of GoodWill was basically the best thing to have ever happened to you.

Once all the information has been verified by the attackers, they will send a decryption tool so that you can recover your files.

CloudSEK was able to trace IP addresses and the email address back to an IT company in India that purportedly manages end-to-end security. GoodWill has similarities with the HiddenTear ransomware but CloudSEK was also able to find strings in the code written in Hinglish such as "error hai bhaiya", which translates to "There is an error, brother".

Although CloudSEK hasn't gone into details about how the ransomware is spread, it has shared a lot of indicators of compromise (IOCs) and mitigation techniques in its blog post here.

Report a problem with article
Samsung Red Hat representatives posing for a photo at memory software collaboration signing ceremony
Next Article

Samsung and Red Hat announce strategic partnership for next-gen memory solutions

Screenshots of the upcoming unified OneNote app for Windows
Previous Article

Microsoft shares more details about revamped OneNote with Windows 11 aesthetics

Join the conversation!

Login or Sign Up to read and post a comment.

24 Comments - Add comment