GoodWill Ransomware Requires Victims to Do Good Deeds

Putting a whole new meaning to the term "ethical hacking."

Goodwill Ransomware Good Deeds Featured

We’ve heard of white hat hackers who are on the good side of the issue: ethical hacking that identifies vulnerabilities to help others not be victims. But the GoodWill ransomware is a different type of ethical – it requires its victims to do good deeds to get their data back.

Identifying GoodWill Ransomware

Threat analysis company CloudSEK identified the GoodWill ransomware this March. Victims don’t need to worry about losing money to these hackers, though. Instead of demanding a cash ransom, the hackers require victims do good deeds if they ever want to see their data again.

You may be asking how the hackers will know the good deeds have been carried out. Victims are required to record them in pictures, audio, and/or video, then post the proof to social media.

Goodwill Ransomware Good Deeds Ransom Note
Image source: CloudSEK

The hackers are obviously not native English speakers. They tell victims that the first good deed “does not costs you high but matters for humanity.”

After the victims complete the good deeds and post them on social media, they are given instructions to download a decryption key. This will allow them to get their documents, photos, videos, databases, and other files back.

CloudSEK was able to determine a few things about the GoodWill hackers. They identified two IP addresses in subdomains as being located in Mumbai, India. The email address can be tracked back to an IT security solutions and services company based in India.

GoodWill’s Good Deeds

The good deeds that are required by the GoodWill ransomware are very specific. The first deed discusses the thousands who die sleeping outside in the cold without proper clothing. The task requires victims to “provide new clothes/blankets to needed people of road side” and to record it on video. After this is completed, the hackers will “promotes you for the next activity.”

Goodwill Ransomware Good Deeds Homeless
Image source: Unsplash

The second good deed requires victims to take five neighborhood children to Dominos, Pizza Hut, or KFC and order them food. “Treat those kids as your younger brothers.” The next part of the task is to take selfies and post them as a video story. A photo of the restaurant receipt is required as well. “Help those less fortunate than you, for it is real human existence.”

With the explanation that many people “have suffered the pain of losing their loved ones due to lack of money,” victims are required to visit a local hospital and pay for a medical treatment for someone who can’t afford it, then record the audio of telling them they are being supported and “do not need to worry now.” Selfies are required of “them with full of smiles and happy faces.”

Goodwill Ransomware Good Deeds Photo Frame
Image source: CloudSEK

After all three acts are completed, the victims need to write an article and post it on Facebook and Instagram about their “wonderful experience of being transformed into a “kind human being.” The decryption kit will be sent once the hackers receive the link. Victims are also given the above photo frame, presumably for a selfie they took during the process.

There are no known victims or targets of the GoodWill ransomware or of the good deeds done to get stolen data back. If you’re worried about becoming a victim, check out these ransomware decryption tools for Windows.

Image credit: Unsplash

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox