Detected GoodWill ransomware that demands good deeds from victims not

Detected GoodWill ransomware that demands good deeds from victims, not money

Cyber ​​Security Experts CloudSEC They talked about the GoodWill hacker group, which distributes a ransomware virus, but in order to decrypt the data, the victim does not have to pay a ransom, but do good deeds. For example, donate blankets to the homeless, feed starving children fast food, or pay for treatment for the poor, capture all of this in photos and videos, and then post it on social media.

    Image Source: Pete Linforth /

Image Source: Pete Linforth /

According to experts, the ransomware operators work from India – this is suggested by their email and IP addresses associated with Mumbai, which the virus accesses. Also, an entry in Hinglish, a mixture of Hindi and English, was found in one of the lines of code. The malware is written in the .NET framework, compressed using the UPX file packer executable, and data on infected Windows machines is encrypted using the AES algorithm.

After the GoodWill virus infects the victim’s PC, it encrypts files of various formats on it and offers three good deeds to decrypt them: donate clothes or blankets “People on the move”take five poor kids to a fast food restaurant, go to the nearest hospital, and pay for treatment for someone who can’t do it on their own.

The first two actions must be documented on social networks using the photo frame offered by the hackers, and the last one should be recorded using the auxiliary object and sent to the operators of the ransomware virus along with the audio recording of the conversation with that person. After completing these three good deeds, you need to write and publish an article on the topic on the social network How did you become a kind person after falling victim to GoodWill ransomware virus?. After that, the hackers supposedly send a tool to decrypt the data.

Experts have discovered a connection between GoodWill and a sample of HiddenTear experimental malware, developed by a certain Turkish programmer for security reasons and placed on GitHub. CloudSEK reported that 91 of GoodWill’s 1246 lines of code matched the HiddenTear example.

About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment