Goodwill Ransomware Strain Emerges

Industry: N/A | Level: Strategic | Source: CloudSEK

CloudSEK researchers have observed the GoodWill ransomware strain emerge in March 2022, however as opposed to strict financial demands, the operators demand victims to partake in three social justice activities in order to receive the decryption key. The activities demanded from the operators are donating clothes to the homeless, feeding at least five children who are less fortunate, and providing financial assistance for those who require urgent medical attention. All activities initiated by the victim must be recorded with video and/or photo as proof and uploaded on social media. A reflection post is also required stating the impact GoodWill has on the victim, “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.” An email address used by GoodWill ransomware traces back to an Indian information technology solutions company. Analysis of the ransomware identified coding overlap with HiddenTear ransomware. Additionally, the ransomware operators appear to be Indian with an understanding of the Hindi dialect based on strings and current investigation findings.