“GoodWill ransomware has been identified by CloudSEK researchers in March 2022. As the name of the threat group suggests, practitioners would be interested in promoting social justice rather than conventional financial reasons, “Clousek said in a report.
Once infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases and other important files and makes them inaccessible without the decryption key.
“The actors suggest that the victims carry out three socially guided activities in exchange for the decryption key: donate new clothes to the homeless, record the action and post it on social media, bring five less fortunate children to Dominos Pizza Hut or KFC for a surprise,” take photos and videos, post them on social media, and provide financial assistance to anyone in need of urgent medical attention but can’t afford it, at a nearby hospital, record the audio and share it with operators, ”the report said.
Once all three activities are complete, the ransomware asks victims to write a note on social media (Facebook or Instagram) about “how you turned into a kind human being by becoming a victim of a ransomware called GoodWill”.
After completing all three tasks, the ransomware operators verify the media files shared by the victim and their social media posts.
Discover the stories of your interest
The actor will then share the full decryption kit which includes the master decryption tool, password file, and a video tutorial on how to recover all important files, the report states.
“Our researchers were able to trace the email address, provided by the ransomware group, to an India-based IT security services and solutions company that provides end-to-end managed security services,” the report states.