GoodWill Ransomware Demands People Help the Most Vulnerable

‘Ransomware with a cause’ has been detected in New Delhi, India. The cryptoviral extortion demands that people donate clothing to the homeless, provide children with food in branded pizza shops and offer financial assistance to those in urgent need of medical care.

The recent news comes from CloudSEK, a digital risk monitoring firm, which warned that Goodwill ransomware could lead to both temporary and permanent loss of company data. In addition, warned CloudSEK, the ransomware could lead to a complete shutdown of operations and revenue loss.

A report from CloudSEK reads, "Our researchers were able to trace the email address, provided by the ransomware group, back to an India-based IT security solutions & services company, that provides end-to-end managed security services."

“GoodWill ransomware was identified by CloudSEK researchers in March 2022. As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons."

In the event the GoodWill ransomware affects a system, every single document, photo, video, database and file becomes encrypted, after which users can no longer access the data without a decryption key.

"The actors suggest that victims perform three socially driven activities in exchange for the decryption key: Donate new clothes to the homeless, record the action and post it on social media; take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos and post them on social media; and provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators," continues the report.

Should the target carry out these three tasks, the ransomware asks them to share a message on Facebook or Instagram, demonstrating "how you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill." Once verified, the person orchestrating this invasive event will reportedly provide those affected with a decryption kit to recover the stolen data.

What’s Hot on Infosecurity Magazine?