GoodWill Ransomware Twistedly Tasks Victims With Charity Work To Rescue Their Data

man handing money
Ransomware attacks are unfortunately now very common. Most attackers demand that their victims pay them money (almost always in cryptocurrency) to get their files back. However, one group has adopted a rather unique approach. The GoodWill ransomware group insists that its victims perform and document acts of service.

The GoodWill ransomware encrypts documents, photos, videos, databases, and other files and makes them inaccessible without a decryption key, just like other ransomware. The group is more than happy to provide their victims with a decryption key, but the victims must first sing for their supper. According to the group, “Team GoodWill is not hungry [for] Money [or] Wealth but Kindness… So, all of our victims need to be gentle and kind to get their files back.” We suppose the group believes this is a case of the means justifying the ends? Bad guys doing good? It reminds us of a very popular ProZD skit...

Victims must first directly donate clothes and/or blankets to “needy people on the side of the road.” They then are required to post a video or photo of them giving the clothes and blankets on Facebook, Instagram, and WhatsApp and screenshot their post and email it to the GoodWill Ransomware group. The group hopes that the social media posts will encourage others to aid the less fortunate and the posts all keep the victims accountable.

Victims must then take out at least five “poor” children under the age of thirteen to dinner at a fast food chain such as Dominos or KFC. They are tasked with being kind to the children during the dinner. They need to take a selfie of themselves with their children, post it on social media, and send a snapshot of their social media post and their dinner bill to the GoodWill ransomware group.

hacker cybersecurity
Next, victims must visit a hospital and pay for the medical treatment of those in need. Victims are encouraged to take selfies with those they are helping and must send a recording of their conversations to the GoodWill ransomware group. The group does not state how many people should be aided in the hospital or how many bills the victim should be willing to pay, but the group implies the victim should help more than one person.

Last, victims are tasked with writing a post on social media about how they are transforming “into a kind human being by becoming a victim of ransomware called GoodWill.” They must once again send a screenshot of their post to the group to verify its authenticity. The GoodWill ransomware group will then provide the victims with a decryption key and leave them be.

We so far know little about the ransomware group. CloudSEK's Threat Intelligence Research team first identified them in March 2022 and has traced them to an Indian IT and cybersecurity company that provides “end-to-end managed security services.” At the moment, it is unclear how the ransomware is spread, but what is clear is that the ransomware group’s motivations are unusual.