GoodWill ransomware dons Robinhood hat

Asks victims to do three good deeds to get back their hacked data

By Kiran N. Kumar

For those who watched the Telugu movie ‘Tagore’ where the hero Chiranjeevi encourages people to do three good things daily, the news of GoodWill ransomware may sound familiar.

But there’s a difference. The hero in the film sought to spread the message of helping three others daily on a voluntary basis, not under pressure. The new strain of ransomware GoodWill, however, forces its victims to do three charitable tasks if their data has been blocked by these hackers.

It obliges the victim to undertake these good deeds, instead of making any payment directly as other ransomware do. Throughout the process, victims should record their good deeds and post them on social media.

Read: How to prepare for unforeseen cyber threats (May 27, 2022)

The first task, for instance, reportedly wants the victim to provide clothing and blankets to the poor, then take five children under 13 to a Dominos, KFC, or Pizza Hut, and take a selfie with the kids after their meal. Next, the victim should visit a hospital and contact a poor patient and pay his entire bill or most of it.

The GoodWill also provided, as per the reports, a photo frame where the victim has to upload his good deeds and share them on social media such as Instagram, Facebook or WhatsApp.

“It doesn’t cost you high, but matters for humanity,” wrote the hacker group on its ransom note, put out by threat analysts CloudSEK last March.

The GoodWill ransomware encrypts documents, photos, videos, databases and files and makes them inaccessible without the decryption key. To retrieve the data, it leaves behind a note for three activities named “Image of Activity 1”, “Image of Activity 2” and “Image of Activity 3”.

Read: Top 5 biggest hacks, leaks and data breaches of 2016 (December 15, 2016)

CloudSEK lists these artefacts of GoodWill:
• The ransomware is written in .NET and packed with UPX packers.
• It sleeps for 722.45 seconds to interfere with dynamic analysis.
• It leverages the AES_Encrypt function to encrypt, using the AES algorithm.
• One string “GetCurrentCityAsync,” detects the geolocation of the victim’s device.

Once the victim’s device is infected, the GoodWill group demands that they record each activity and share them with visuals on social media accounts.

After completing the three tasks, the victim is asked to write a note on social media on “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.”

After this task, the ransomware group shares a decryption kit including a decryption tool, password and a video tutorial on how to recover all important files.

But it is still not clear how they select their victims. For instance, a friend known to this writer was a regular contributor to “Save the Child” campaign until he lost his job during the pandemic.

Read: New ‘GoodWill’ Ransomware Forces Victims to Donate Money and Clothes to the Poor (May 29, 2022)

However, the child campaign undertakers remained coercive to force him for donations, now on a daily basis, at least from three different numbers.

Will he be part of the new coercive campaign of GoodWill? How can these erstwhile donors escape the coercive donation campaigns unleashed constantly online and on TV screens, of late?

Is there any criteria to select the GoodWill ransomware victims? It remains to be seen.

Leave a Comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.