Ransomware compels victim to donate financial aid to poor patients in need

A new ransomware has been detected in India that forces victims to donate new clothes to the homeless, feed children at branded pizza places, and provide financial assistance to anyone in need of urgent medical attention but who does not can’t afford it, according to digital risk monitoring firm Cloudsek.

The company warned that Goodwill ransomware could also lead to temporary or even permanent loss of company data and possible shutdown of company operations, along with loss of revenue.



“GoodWill ransomware was identified by CloudSEK researchers in March 2022.

As the name of the threatening group suggests, the operators would be interested in promoting social justice rather than conventional financial reasons,” Clousek said in a statement.

Once infected, GoodWill ransomware worm encrypts documents, photos, videos, database and other important files and makes them inaccessible without the decryption key.

“The actors suggest that the victims perform three social activities in exchange for the decryption key: donating new clothes to the homeless, recording the action and posting it on social media, taking five less fortunate children to Dominos Pizza Hut or KFC for a treat, taking photos and videos, posting them on social media, and providing financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio and share it with operators,” the report says.

After completing the three activities, the ransomware asks victims to write a note on social media (Facebook or Instagram) about “how you turned into a benevolent human being by becoming a victim of a ransomware called GoodWill”. After completing the three activities, the ransomware operators check the victim’s shared media files and their social media posts.

The actor will then share the complete decryption kit which includes the main decryption tool, password file and a video tutorial on how to recover all important files, according to the report.

“Our researchers were able to trace the email address, provided by the ransomware group, to an India-based IT security solutions and services company, which provides end-to-end managed security services,” indicates the report.

Comments are closed.