The GoodWill Ransomware
Researchers have discovered a new ransomware strain called GoodWill that forces victims to donate money to charitable organizations and help those in need, rather than extort money from victims.
The ransomware group makes unusual demands in exchange for the decryption key, a report released last week by CloudSEK researchers reveals. Rather than extorting victims for financial gain, the Robin Hood-like group claims to be concerned with helping the less fortunate.
The ransomware, written in.NET, was first discovered in March 2022 by an Indian cybersecurity firm. The malware renders sensitive files inaccessible by encrypting them with the AES algorithm. Initially, however, the threat sleeps for 722.45 seconds to avoid dynamic analysis.
In order to get the decryption key, the victims must complete a series of socially-motivated tasks detailed in a multi-page ransom note that appears after the encryption process is complete. This includes donating new clothing and blankets to the homeless, taking any five underprivileged children to Domino’s Pizza, Pizza Hut, or KFC for a treat, and providing financial support to patients who need urgent medical attention but lack the financial means to do so.
In addition, the victims are required to post screenshots and selfies on their social media accounts as proof of the good deeds they’ve completed. The victims are also asked to write a post on social media (Facebook or Instagram) about how they became better people after being infected by the ransomware called GoodWill.
Researchers reveal that, as of now, there are no reports of victims of GoodWill’s attacks, and the hacking group’s exact tactics, techniques, and procedures (TTPs) are unknown. An analysis of the email address and network artifacts, however, suggests the attackers are from India and speak Hindi.
A fact that is interesting to note is that HiddenTear, the first ransomware to be open-sourced as a proof-of-concept (PoC) back in 2015 by a Turkish programmer, has been found to share many similarities with the new GoodWill ransomware sample. According to the researchers, GoodWill operators may have gained access to this malware, enabling them to create new ransomware with the necessary modifications.