Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024
  • Security & Privacy News

    This ransomware forces victims to do acts of goodwill to get their files back

    Karlston

    By Karlston,
    Published Date:

    • 387 views
    • 3 minutes
     Share
    • 387 views
    • 3 minutes

    1653466966_word-image-42_story.jpg

     

    We are always hearing about ransomware that encrypts systems and then demands a payment from victims, usually in the form of cryptocurrency, to get their data back. But it appears that a new strain of ransomware has now emerged that asks users perform acts of good in order to decrypt their environments.

     

    CloudSEK's Threat Intelligence Research team has recently identified a ransomware that goes by the name of "GoodWill". In order to receive a decryption key, the victim has to perform acts of kindness such as feed the less fortunate, provide them blankets, and offer money to people at hospitals. In total, there are three activities that a victim must engage in so they can recover their data.

     

    1653466236_word-image-43_story.jpg

     

    As can be seen above, the first activity requires you to provide clothes and blankets to needy people on the side of the road and make a video of yourself doing this. This video also has to be posted to social media in order to encourage others. This information then has to be emailed to the attackers as evidence of completion.

     

    1653466242_word-image-44_story.jpg

     

    Then, the second activity requires you to feed five children from fast food chains and treat them well while doing it. The victim also has to take selfies with them and again post these photos and video on social media. An image of the restaurant bill along with links to the social media posts then has to be sent to the attacker.

     

    1653466230_word-image-45_story.jpg

     

    Finally, the third activity forces you to go to a hospital and pay for the medical treatment of those in need of financial assistance. Selfies have to be taken with these people too and the audio conversation has to be recorded as proof. Then, a "beautiful article" about this has to be posted on social media and you have to explain to people how becoming a ransomware of GoodWill was basically the best thing to have ever happened to you.

     

    Once all the information has been verified by the attackers, they will send a decryption tool so that you can recover your files.

     

    CloudSEK was able to trace IP addresses and the email address back to an IT company in India that purportedly manages end-to-end security. GoodWill has similarities with the HiddenTear ransomware but CloudSEK was also able to find strings in the code written in Hinglish such as "error hai bhaiya", which translates to "There is an error, brother".

     

    Although CloudSEK hasn't gone into details about how the ransomware is spread, it has shared a lot of indicators of compromise (IOCs) and mitigation techniques in its blog post here.

     

     

    This ransomware forces victims to do acts of goodwill to get their files back

    • aum and npo33770
    • Like 2
     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...