Good Samaritans? This ransom gang forces victims to take poor kids to KFC


GoodWill ransomware, likely originating from India, is like no other. Instead of a ransom demand, its operators force victims to provide financial assistance to those in need.

“Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its Victims to donate to the poor and provides financial assistance to the patients in need,” cybersecurity company CloudSEK said after analyzing the GoodWill ransomware.

ADVERTISEMENT

Researchers first identified the malware in March 2022. Once the device is infected with the ransomware, it encrypts important files, including documents, databases, and photos, and renders them inaccessible without the decryption key.

Instead of a ransom demand, the GoodWill operators ask their victims to perform three socially-driven activities, record them, and post the good deed on social media.

  • Activity 1: Donate new clothes to the homeless.
  • Activity 2: Take five less fortunate children to Dominos, Pizza Hut, or KFC for a treat.
  • Activity 3: Provide financial assistance to anyone who needs urgent medical attention but cannot afford it.

Along with the photo, video, or audio files documenting the activity, victims are also asked to write a note on social media on “how you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.”

“Upon completing all three activities, the ransomware operators verify the media files shared by the victim and their posts on social media. The actor will then share the complete decryption kit, which includes the main decryption tool, password file, and a video tutorial on how to recover all important files,” CloudSEK said.

The company’s researchers traced the email address provided by the gang to an Indian-based IT services provider.

CloudSEK found some 1246 strings of this ransomware, out of which 91 strings overlap with the HiddenTear, open-source ransomware developed by a Turkish programmer.

“CloudSEK researchers found the following strings of the malware interesting: “error hai bhaiya”: This string is written in Hinglish, which means “there is an error, brother.” This indicates that the operators are from India and that they speak Hindi,” researchers said.

ADVERTISEMENT
GoodWill's demands
GoodWill Ransomware: Image of Activity 2 described in detail. Source: CloudSEK