GoodWill ransomware attackers share a three-page ransom note asking the victim to perform three tasks to get the decryption key- they want them to donate to the homeless, feed poor kids, and provide financial assistance to a patient in need.
CloudSEK Threat Intelligence Research team has warned about new ransomware dubbed GoodWill Ransomware that can cause temporary to permanent data loss and may also shut down operations, leading to massive revenue losses.
The digital risk monitoring service also reported that they traced the email IDs of the GoodWill Ransomware operators to an Indian IT security solutions/services provider offering end-to-end managed security services.
It is worth noting that this campaign was detected in New Delhi, India, in March 2022. According to CloudSEK’s analysis of the GoodWill Ransomware campaign, “the operators are allegedly interested in promoting social justice rather than conventional financial reasons.”
GoodWill Ransomware details
The GoodWill Ransomware is written in .NET and is equipped with UPX packets. The malicious software sleeps for 722.45 secs to interrupt dynamic analysis and leverages the AES_Encrypt feature and the AES algorithm for encrypting data.
One of its strings titled GetCurrentCityAsync can detect the infected device’s geolocation. GoodWill ransomware can encrypt every single file on a system, including databases, photos, and videos, and the victim cannot access the data unless they get the decryptor key.
Unique Demands of GoodWill Ransomware
According to CloudSec’s blog post, attackers share a three-page ransom note asking the victim to perform three tasks to get the decryption key- they want them to donate to the homeless, feed poor kids, and provide financial assistance to a patient in need.
In this ransomware-with-a-cause campaign, attackers demand people donate clothes to the homeless. Interestingly, the attackers ask people to offer food from high-end franchises like KFC, Dominos, or Pizza Hut to at least five less fortunate children. They demand victims post photos and videos of their charity activities on social media.
Furthermore, the victims provide financial aid to someone in need of urgent medical care who cannot afford it at any nearby hospital, record their audio and send it to the GoodWill Ransomware operators.
Once the victim completes these tasks, the attacker demands to share a message on Instagram or Facebook to demonstrate their transformation into a humane individual. After verification, the attacker sends the victim a decryption kit for data recovery.
Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its Victims to donate to the poor and provides financial assistance to the patients in need.