The research team from CloudSEK’s Threat Intelligence has recently disclosed GoodWill ransomware that forces victims to donate to the poor and provides financial assistance to patients in need.
According to the CloudSEK’s researchers, “Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its Victims to donate to the poor and provides financial assistance to the patients in need”.
GoodWill ransomware was identified by the India-based cybersecurity firm in March 2022. “As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons”.
Characteristics of GoodWill Ransomware
This ransomware is written in .NET and packed with UPX packers. It sleeps for 722.45 seconds to interfere with dynamic analysis. The ransomware leverages the AES_Encrypt function to encrypt, using the AES algorithm. One of the strings is “GetCurrentCityAsync,” which tries to detect the geolocation of the infected device.
Activities In Exchange For the Decryption Key
It is quite like Robinhood, as ransomware does not demand money in cryptocurrencies, instead, it gives the victims four activities to perform to receive the decryption key. The ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key.
Activity 1: Donate new clothes to the homeless, record the action, and post it on social media
Activity 2: Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media.
Activity 3: Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.
After completing all the tasks given, the victims need to post on their social media accounts – “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.”
The actors insist the victims to record video proof of all the activities and post it on social media, and these posts will be verified by them. Then the threat actors will then share the complete decryption kit which includes the main decryption tool, password file, and a video tutorial on how to recover all important files.
After the analysis, the researchers were able to identify some 1246 strings of this ransomware, out of which 91 strings overlap with the ‘HiddenTear ransomware’, the first ransomware to have been open-sourced as a proof-of-concept (PoC) back in 2015 by a Turkish programmer. Also, an analysis of the email address and network artifacts suggests that the operators are from India and that they speak Hindi.