top of page
  • Writer's pictureORNA

New Charity Ransomware Forces Victims to Commit Good Deeds

In the old English legend of Robin Hood, he was a hero to the peasantry because of his generous spirit. He robbed the rich and gave the spoils to the poor, needy, and destitute. He was a vigilante in every sense and because he opposed those with plenty, he was revered and adored by those with the lesser station.

Similarly, a new form of ransomware worm has emerged, called GoodWill. What’s unique about this novel strain of malware is that instead of holding the victim’s data hostage until a ransom is paid, victims are forced to perform charitable deeds if they hope to see their data again.

Essentially, once the ransomware finds itself in the target systems, it encrypts the contents of the disk drives with an AES encryption algorithm and also utilizes a 722.45-second sleep timer, which interferes with real-time analysis.

The ransomware was uncovered by threat analysis firm CloudSek in March 2022, which designated the malicious code as “global malware.” They also discovered artifacts or tells within the malware itself. From these forensic digital fingerprints, researchers ascertained that the group originates in India.

CloudSek summarizes the malware with the following statement:

“Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need.”

The ransom note itself is rather lengthy. The GoodWill ransom group requires the victims to complete three mandatory objectives that are to be performed socially. Once the tasks are satisfied, the group releases the decryption key for the victim to download.

Deliverance Upon Meeting Three Objectives

The group mandates that victims accomplish three charitable objectives accompanied by the following explanation, “It does not cost you high, but matters for humanity.”

The first task is to provide new clothes or blankets to needy people along the roadside. The victim is required to provide proof of this exchange, either with a video or photo. The next step requires the victim to record either video or photographic evidence of the charitable deed and post the evidence on social media as well as by email to the attackers.

The attackers also provide a photo frame for the victim to use. Then, the next objective is delegated to the victim.

This part is extremely bizarre, and perhaps the most difficult objective. It requires the victim to take “five less fortunate children” under the age of 13 years, specifically to either Dominos, Pizza Hut, or KFC “for a treat.”

The attackers go on to say that “You cannot feed them food for life, but you can give them 2 moments of happiness!” This event must be accomplished in the evening time while taking selfies with them full of smiles and happy faces, in addition to making a “beautiful video” of the event to be uploaded to Facebook and Instagram stories using the photo frame and caption provided by the attackers.

Try to imagine falling prey to the GoodWill ransomware group and being faced with a task like this. I cannot imagine this being a simple feat, as most parents aren’t going to allow their children to be taken to any restaurant with a stranger or take selfies and videos with them.

The final objective is to go to a hospital and provide the maximum financial assistance to anyone who is financially impacted and unable to cover their hospital bill. The victim must approach individuals and verify who isn’t able to afford their medical treatment. They must also make sure to take selfies with happy faces.

The victim must create an audio recording of the conversation, which is to be sent to the attackers. Lastly, the victim must write an article on their Facebook and Instagram timelines and share their experiences publically, describing how they were transformed into “a kind human being” after becoming the victim because of the GoodWill ransomware.

How victims are selected has not yet been formerly ascertained.

A Hacker’s Final Thoughts

For as long as I can remember, I have encountered countless hackers along my personal journey that seemed to be driven by a strong wind of self-righteousness, in that they have the power to police and judge as they see fit. This has become a pivotal element in the modern-day hacktivists' cult of personality.

This also adequately describes my former self ambitions as a black hat hacker. I policed the internet, policed the private affairs of individuals and governments, foreign and domestic. I executed judgment, till the day I myself was judged by the strong arm of the law.

Back then, I made it my mission to judge the deeds of others and convict them accordingly. Although I speak of this in a negative context, there were deeds I pursued that I will yet justify and defend.

I digress. My thoughts are that hacktivism, or hackers of all flavors, in the general sense, has cultivated a kind of counterculture mindset poised to hold others accountable as long as it's not ourselves that must be held to account for our misdeeds.

I believe the underlying motives of the GoodWill ransomware group are understandable. The world is rife with suffering and injustices. Therefore, their goals appear to be a hope to create a mechanism that forces those with more to commit charitable acts in support of those without.

However, the very principle driving this operation, as well as most hacktivist operations I’ve encountered in recent memory, are driven by a flagrant double standard that opposes one of the tenants of hackerdom, which simply is the abuse of power.

When governments exert totalitarian control over a people or commit arbitrary acts through the abuse of power, it provokes a strong response. Naturally, when hackers adopt an authoritarian personality and then, wield absolute power and control over those who seemingly have no connection to them, I wonder why they ostensibly embrace the same mindset as the very forces they have dedicated their lives to oppose.

Thus, creating a wrong in order to manipulate it into creating a right elsewhere isn’t necessarily the change we hope to see in the world. It just becomes another vice of arbitrary control wielded by those who possess absolute power at the expense of those forced to obey.

An article by

Jesse McGraw

Edited by

Ana Alexandre




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page