Victims of the new ‘GoodWill’ ransomware are being forced to donate money and clothing to the poor.

Victims of the new ‘GoodWill’ ransomware are being forced to donate money and clothing to the poor. Researchers in cybersecurity have discovered a new ransomware outbreak dubbed GoodWill, which forces victims to donate to social causes and offer financial support to those in need.

“The ransomware organization propagates quite unique demands in return for the decryption key,” CloudSEK researchers said in a study last week. “The Robin Hood-like gang professes to be concerned with assisting the least fortunate rather than extorting people for financial gain.”


Written in.NET, was discovered by the India-based cybersecurity firm in March 2022, with the infestations leaving sensitive information inaccessible without decryption. The virus, which employs the AES technique for encryption, is also famous for sleeping for 722.45 seconds to obstruct dynamic examination.

Following the encryption procedure, a multi-page ransom letter is shown, requiring victims to do three socially motivated behaviors in order to acquire the decryption kit.

This includes gifting new clothes and blankets to the homeless. Treating any five disadvantaged children to a meal at Domino’s Pizza. Pizza Hut, or KFC. And providing financial assistance to patients who require immediate medical treatment but lack the financial means to do so.


The victims are advised to take screenshots and photographs of the acts and publish them as proof on their social media profiles.

“Once all three acts are performed. Victims should additionally post a remark on social media (Facebook or Instagram) about ‘How you turned yourself into a good human being by becoming a victim of a ransomware dubbed GoodWill,” the researchers said.

There are no documented GoodWill victims, and the actual tactics. Methods, and procedures (TTPs) employed to enable the assaults remain unknown.

The identity of the threat actor is also unknown. While an examination of the email address and network artifacts shows that the operators are from India and speak Hindi.

Further examination of the ransomware sample found notable similarities with another Windows-based strain known as HiddenTear. Which was the first ransomware to be open-sourced as a proof-of-concept (PoC) in 2015 by a Turkish programmer.

“GoodWill operators may have obtained access to this. Allowing them to develop a new ransomware with appropriate alterations.” Stated the experts.

Have you enjoyed reading this article? To read more exclusive material from THN. Follow us on Facebook. Victims of the new ‘GoodWill’ ransomware are being forced to donate money and clothing to the poor.

Leave a Reply

Your email address will not be published. Required fields are marked *

Select your currency