• Home
  • /Learn
  • /GoodWill Ransomware Tasks Victims with Acts of Charity to Recover Data
background image


GoodWill Ransomware Tasks Victims with Acts of Charity to Recover Data


GoodWill Ransomware is a new type of ransomware used to target businesses and individuals. This ransomware is unique in that it requires victims to perform acts of charity to have their data decrypted. These acts of charity have included donating to a local food bank or animal shelter or even providing volunteer services at a local hospital. The ransomware has been used to target businesses in the United States, Canada, and Europe.

What is GoodWill Ransomware? 

GoodWill ransomware is similar to other types of malware, but the key difference is that instead of asking for ransom, it forces victims to do something good to get their data back. The creators of this ransomware aim to drive their victims out of their homes and volunteer. Hence the name: GoodWill ransomware. 

The ransomware creators used the .Net framework to write this malware and filled it with UPX packers. It requires 722.45 seconds to interfere with dynamic analysis and uses the AES Encrypt function to encrypt all target files.

It assigns each victim three different goodwill tasks. The hackers provide the decryption key if the target victim completes the tasks. While the hackers may not seek ransom in cryptocurrency or gift card codes, they may sometimes make the goodwill act inconvenient. 

According to a CloudSEK report, "GoodWill ransomware was identified by CloudSEK researchers in March 2022. As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons." CloudSEK also said the ransomware could completely shut down an enterprise's operations, leading to revenue loss. 

Disturbing activities GoodWill ransomware asks victims to perform

Often, this ransomware inconveniences the victims by assigning them abnormal tasks. Victims have experienced being locked out of their computers only to have a message pop up asking them to perform three acts of kindness to gain access to their computers. Some tasks have included feeding underprivileged children in upscale pizza outlets, donating new clothes to the homeless and providing urgent medical attention to the needy.

Reports suggest that the threat actors have asked victims to "take some selfies of them with full of smiles and happy faces, make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with photo frame and caption provided by us." The caption they provide is, "How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill."  

While it may not seem harmful, sometimes attackers ask their victims to humiliate or insult themselves on social networking sites for misdeeds. In its report, CloudSEK says, "Our researchers were able to trace the email address provided by the ransomware group." The CloudSEK threat intelligence researchers pulled 1,246 strings from the GoodWill ransomware. Of the 1,246 strings, 91 coincided with the HiddenTear ransomware (developed by a Turkish programmer). The researchers claimed to have found Hindi and mixed English in those strings. This led to the conclusion that the ransomware operators were from India and were Hindi speakers. 


How to protect your enterprise from Goodwill ransomware? 

While there is nothing you can do to guarantee that your enterprise will not be targeted by GoodWill ransomware, you can take steps to protect your data.

  • Keep a backup of your corporate or personal data in isolated storage

  • Keep your defence systems like anti-malware, antivirus, firewall, etc., up to date

  • Hire a robust patch management team to mitigate any system vulnerabilities

  • Apply AI-based anti-ransomware solutions

  • Leverage ML-based network monitoring solutions to analyze the behaviour of different programs running within the network

  • Educate your employees about phishing emails and other social engineering techniques so they can identify them

  • Ensure you have regularly scheduled penetration testing and ensure all vulnerabilities identified are resolved.

See Packetlabs' new Ransomware Penetration Testing Service.

Final thoughts

The GoodWill ransomware is a new and emerging threat. While it may not be as harmful as some of the other types of ransomware, it can still cause significant damage to your enterprise. It is important to protect your data and keep your systems up to date.

Download Ransomware Prevention & Response Checklist to ensure you have the necessary people, processes and technology in place to prevent a devastating ransomware attack.