A new ransomware entraps victims with unusual demand and holds people’s data hostage until they perform 3 good deeds. Read on to know more about it…
We’ve all heard of white hat hackers, who are on the good side of the cybersecurity and use ethical hacking to help others avoid becoming victims. The GoodWill ransomware, on the other hand, is a different kind of ethical in that it demands victims to perform good deeds in order to recover their data.
The ransomware, which is written in.NET and uses the AES encryption algorithm to block access to important files, was initially discovered by the India-based cybersecurity company. The malware is also known to sleep for 722.45 seconds to interfere with dynamic analysis.
CloudSEK, a threat analysis firm, discovered the GoodWill ransomware in March 2022. However, victims do not need to be concerned about losing money as a result of these hackers. Instead of demanding a monetary ransom, the hackers demand that victims perform good deeds in order to regain access to their data.
Clearly, the hackers are not native English speakers. They inform victims that the first good deed “does not costs you high but matters for humanity.”
The victims are given instructions to download a decryption key once they accomplish the good deeds and share them on social media. They will be able to retrieve their documents, photos, videos, databases, and other files as a result of this.
“The ransomware group propagates very unusual demands in exchange for the decryption key,” researchers from CloudSEK said in a report published last week. “The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.”
CloudSEK discovered a few details about GoodWill hackers. Two IP addresses in subdomains were located in Mumbai, India. The email address can be traced back to an Indian organization that provides IT security solutions and services.
Tech Details
CloudSEK lists these artefacts of GoodWill:
• The ransomware is written in .NET and packed with UPX packers.
• It sleeps for 722.45 seconds to interfere with dynamic analysis.
• It leverages the AES_Encrypt function to encrypt, using the AES algorithm.
• One string “GetCurrentCityAsync,” detects the geolocation of the victim’s device.
The Good Deeds of GoodWill
The GoodWill ransomware has very stringent requirements for good deeds. The first deed is about the thousands of people who die as a result of sleeping outside in the cold without enough clothing. The first task of victims is to “provide new clothes/blankets to needed people of road side” and record it on video. The hackers will “promotes you for the next activity.” once the first task is completed.
The second task of good deed requires the victims to take 5 children from their neighborhood to Domino’s, Pizza Hut, or KFC and place an food order for them. “Treat those kids as your younger brothers.” says the hackers. The next step is to shoot selfies and upload them to a video story. A photograph of the restaurant receipt is also necessary to be uploaded and posted. “Help those less fortunate than you, for it is real human existence.”
With the explanation that several people “have suffered the pain of losing their loved ones due to lack of money,” victims must visit a local hospital and pay for medical treatment for someone who cannot afford it, then record an audio message telling them they are being supported and “do not need to worry now.” Selfies with “them with full of smiles and happy faces.” is also a must.
After completing all three acts, the victims must write an article and post it on Facebook and Instagram about their “wonderful experience of being transformed into a “kind human being.” Once the hackers have received the link, the decryption kit will be sent to the victims. The above photo frame is also handed to victims, presumably for a selfie they snapped during the process.
There have been no reported victims or targets of the GoodWill ransomware or the good deeds performed to recover stolen data.