
Ransomware attacks are unfortunately now very common. Most attackers demand that their victims pay them using bitcoins to get their files back. However, one group has adopted a rather unique approach. The GoodWill ransomware group insists that its victims perform and document acts of service.
GoodWill ransomware was identified by CloudSEK researchers in March 2022. As the name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons. CloudSEK researchers have been able to identify the following features of GoodWill:
- The ransomware is written in .NET and packed with UPX packers.
- It sleeps for 722.45 seconds to interfere with dynamic analysis.
- It leverages the AES_Encrypt function to encrypt, using the AES algorithm.
- One of the strings is “GetCurrentCityAsync,” which tries to detect the geolocation of the infected device.
- There are some 1246 strings of this ransomware, out of which 91 strings overlap with the HiddenTear ransomware.
- HiddenTear is open-source ransomware developed by a Turkish programmer and its PoC was then released on GitHub. GoodWill operators may have gained access to this allowing them to create new ransomware with necessary modifications.
Action Items for the victims are as follows
- Victims must first directly donate clothes and/or blankets to “needy people on the side of the road.” They then are required to post a video or photo of them giving the clothes and blankets on Facebook, Instagram, and WhatsApp and screenshot their post and email it to the GoodWill Ransomware group. The group hopes that the social media posts will encourage others to aid the less fortunate and the posts all keep the victims accountable.
- Victims must then take out at least five “poor” children under the age of thirteen to dinner at a fast-food chain such as Dominos or KFC. They are tasked with being kind to the children during the dinner. They need to take a selfie of themselves with their children, post it on social media, and send a snapshot of their social media post and their dinner bill to the GoodWill ransomware group
- Victims must visit a hospital and pay for the medical treatment of those in need. Victims are encouraged to take selfies with those they are helping and must send a recording of their conversations to the GoodWill ransomware group.
- Victims are tasked with writing a post on social media about how they are transforming “into a kind human being by becoming a victim of ransomware called GoodWill.” They must once again send a screenshot of their post to the group to verify its authenticity. The GoodWill ransomware group will then provide the victims with a decryption key and leave them be.
The research team has traced them to an Indian IT and cybersecurity company that provides “end-to-end managed security services.” Now, it is unclear how the ransomware is spread, but what is clear is that the ransomware group’s motivations are unusual.

These are GoodWill ransomware tunnels that are also subdomains of Ngrok.io:
- http://9855-13-235-50-147(.)ngrok(.)io/ (Dashboard of GoodWill ransomware)
- http://9855-13-235-50-147(.)ngrok(.)io/alertmsg(.)zip
- http://9855-13-235-50-147(.)ngrok(.)io/handshake(.)php
- http://84a2-3-109-48-136(.)ngrok(.)io/kit(.)zip
Indicators Of Compromise
- MD5: cea1cb418a313bdc8e67dbd6b9ea05ad
- SHA-1: 8d1af5b53c6100ffc5ebbfbe96e4822dc583dca0
- SHA-256: 0facf95522637feaa6ea6f7c6a59ea4e6b7380957a236ca33a6a0dc82b70323c