GoodWill Ransomware will force you to do good deeds

The GoodWill Ransomware

Researchers have discovered a new ransomware strain called GoodWill that forces victims to donate money to charitable organizations and help those in need, rather than extort money from victims.

GoodWill Ransomware
The GoodWill Ransomware message

The ransomware group makes unusual demands in exchange for the decryption key, a report released last week by CloudSEK researchers reveals. Rather than extorting victims for financial gain, the Robin Hood-like group claims to be concerned with helping the less fortunate.

GoodWill Virus
The GoodWill virus demands

The ransomware, written in.NET, was first discovered in March 2022 by an Indian cybersecurity firm. The malware renders sensitive files inaccessible by encrypting them with the AES algorithm. Initially, however, the threat sleeps for 722.45 seconds to avoid dynamic analysis.

In order to get the decryption key, the victims must complete a series of socially-motivated tasks detailed in a multi-page ransom note that appears after the encryption process is complete. This includes donating new clothing and blankets to the homeless, taking any five underprivileged children to Domino’s Pizza, Pizza Hut, or KFC for a treat, and providing financial support to patients who need urgent medical attention but lack the financial means to do so.

In addition, the victims are required to post screenshots and selfies on their social media accounts as proof of the good deeds they’ve completed. The victims are also asked to write a post on social media (Facebook or Instagram) about how they became better people after being infected by the ransomware called GoodWill.

Researchers reveal that, as of now, there are no reports of victims of GoodWill’s attacks, and the hacking group’s exact tactics, techniques, and procedures (TTPs) are unknown. An analysis of the email address and network artifacts, however, suggests the attackers are from India and speak Hindi.

A fact that is interesting to note is that HiddenTear, the first ransomware to be open-sourced as a proof-of-concept (PoC) back in 2015 by a Turkish programmer, has been found to share many similarities with the new GoodWill ransomware sample. According to the researchers, GoodWill operators may have gained access to this malware, enabling them to create new ransomware with the necessary modifications.


About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment