We are always hearing about ransomware that encrypts systems and then demands a payment from victims, usually in the form of cryptocurrency, to get their data back. But it appears that a new strain of ransomware has now emerged that asks users perform acts of good in order to decrypt their environments.
CloudSEK's Threat Intelligence Research team has recently identified a ransomware that goes by the name of "GoodWill". In order to receive a decryption key, the victim has to perform acts of kindness such as feed the less fortunate, provide them blankets, and offer money to people at hospitals. In total, there are three activities that a victim must engage in so they can recover their data.
As can be seen above, the first activity requires you to provide clothes and blankets to needy people on the side of the road and make a video of yourself doing this. This video also has to be posted to social media in order to encourage others. This information then has to be emailed to the attackers as evidence of completion.
Then, the second activity requires you to feed five children from fast food chains and treat them well while doing it. The victim also has to take selfies with them and again post these photos and video on social media. An image of the restaurant bill along with links to the social media posts then has to be sent to the attacker.
Finally, the third activity forces you to go to a hospital and pay for the medical treatment of those in need of financial assistance. Selfies have to be taken with these people too and the audio conversation has to be recorded as proof. Then, a "beautiful article" about this has to be posted on social media and you have to explain to people how becoming a ransomware of GoodWill was basically the best thing to have ever happened to you.
Once all the information has been verified by the attackers, they will send a decryption tool so that you can recover your files.
CloudSEK was able to trace IP addresses and the email address back to an IT company in India that purportedly manages end-to-end security. GoodWill has similarities with the HiddenTear ransomware but CloudSEK was also able to find strings in the code written in Hinglish such as "error hai bhaiya", which translates to "There is an error, brother".
Although CloudSEK hasn't gone into details about how the ransomware is spread, it has shared a lot of indicators of compromise (IOCs) and mitigation techniques in its blog post here.