This ransomware forces victims to do acts of goodwill to get their files back Usama Jawad @@UsamaJawad96 · May 25, 2022 04:30 EDT16
A screenshot of the GoodWill ransomware
We are always hearing about ransomware that encrypts systems and then demands a payment from victims, usually in the form of cryptocurrency, to get their data back. But it appears that a new strain of ransomware has now emerged that asks users perform acts of good in order to decrypt their environments.
CloudSEK's Threat Intelligence Research team has recently identified a ransomware that goes by the name of "GoodWill". In order to receive a decryption key, the victim has to perform acts of kindness such as feed the less fortunate, provide them blankets, and offer money to people at hospitals. In total, there are three activities that a victim must engage in so they can recover their data.
A screenshot of the demand made by GoodWill ransomware As can be seen above, the first activity requires you to provide clothes and blankets to needy people on the side of the road and make a video of yourself doing this. This video also has to be posted to social media in order to encourage others. This information then has to be emailed to the attackers as evidence of completion.
A screenshot of the demand made by GoodWill ransomware Then, the second activity requires you to feed five children from fast food chains and treat them well while doing it. The victim also has to take selfies with them and again post these photos and video on social media. An image of the restaurant bill along with links to the social media posts then has to be sent to the attacker.
A screenshot of the demand made by GoodWill ransomware Finally, the third activity forces you to go to a hospital and pay for the medical treatment of those in need of financial assistance. Selfies have to be taken with these people too and the audio conversation has to be recorded as proof. Then, a "beautiful article" about this has to be posted on social media and you have to explain to people how becoming a ransomware of GoodWill was basically the best thing to have ever happened to you.
Once all the information has been verified by the attackers, they will send a decryption tool so that you can recover your files.
CloudSEK was able to trace IP addresses and the email address back to an IT company in India that purportedly manages end-to-end security. GoodWill has similarities with the HiddenTear ransomware but CloudSEK was also able to find strings in the code written in Hinglish such as "error hai bhaiya", which translates to "There is an error, brother".
Although CloudSEK hasn't gone into details about how the ransomware is spread, it has shared a lot of indicators of compromise (IOCs) and mitigation techniques in its blog post here.
The higher the degree, the greater the respect given to the humblest!