GoodWill Ransomware Twistedly Tasks Victims With Charity Work To Rescue Their Data
The GoodWill ransomware encrypts documents, photos, videos, databases, and other files and makes them inaccessible without a decryption key, just like other ransomware. The group is more than happy to provide their victims with a decryption key, but the victims must first sing for their supper. According to the group, “Team GoodWill is not hungry [for] Money [or] Wealth but Kindness… So, all of our victims need to be gentle and kind to get their files back.” We suppose the group believes this is a case of the means justifying the ends? Bad guys doing good? It reminds us of a very popular ProZD skit...
Victims must first directly donate clothes and/or blankets to “needy people on the side of the road.” They then are required to post a video or photo of them giving the clothes and blankets on Facebook, Instagram, and WhatsApp and screenshot their post and email it to the GoodWill Ransomware group. The group hopes that the social media posts will encourage others to aid the less fortunate and the posts all keep the victims accountable.
Victims must then take out at least five “poor” children under the age of thirteen to dinner at a fast food chain such as Dominos or KFC. They are tasked with being kind to the children during the dinner. They need to take a selfie of themselves with their children, post it on social media, and send a snapshot of their social media post and their dinner bill to the GoodWill ransomware group.
We so far know little about the ransomware group. CloudSEK's Threat Intelligence Research team first identified them in March 2022 and has traced them to an Indian IT and cybersecurity company that provides “end-to-end managed security services.” At the moment, it is unclear how the ransomware is spread, but what is clear is that the ransomware group’s motivations are unusual.