GoodWill Ransomware

At first glance, the GoodWill Ransomware threat appears to be yet another harmful malware designed to lock the data of its victims. And, indeed, the threat is perfectly capable of doing that. Written in .NET, the GoodWill Ransomware utilizes the AES cryptographic algorithm to encrypt numerous important file types on breached devices. The affected files include databases, pictures, documents, archives, etc. The threat also enters sleep mode for 722.45 seconds, as a way to hamper any dynamic analysis attempts.

However, when researchers from the threat analysis firm CloudSEK examined GoodWill Ransomware's ransom note, they discovered something unusual. Instead of the typical instructions on how to make a ransom payment to the cybercriminals, GoodWill's multi-page note requests users to do 3 charitable actions. After completing each step, victims are asked to post selfies and share the experience on their social media accounts. The operators of the GoodWill Ransomware will verify that each task has been performed and promise to send a full decryption kit consisting of a software tool, password file and a video tutorial to their victims. As for the three generous acts described in the note, they are:

• Activity 1 - Donate clothes to the homeless
• Activity 2 - Pay for five less fortunate kids to go to Dominos, KFC or Pizza Hut.
• Activity 3 - Pay the medical bill of an unfortunate person who is in urgent need of treatment but doesn't have the funds for it.

It should be noted that during their analysis of the threat, CloudSEK discovered multiple connections that point towards the operators of the GoodWill Ransomware being from India. The evidence consists of an email address traced back to India, the existence of strings containing words in Hindi, and two IP addresses that were located in Mumbai, India.