Cybersecurity researchers have disclosed a brand new ransomware pressure known as GoodWill that compels victims into donating for social causes and supply monetary help to individuals in want.
“The ransomware group propagates very uncommon calls for in trade for the decryption key,” researchers from CloudSEK stated in a report printed final week. “The Robin Hood-like group claims to be all in favour of serving to the much less lucky, fairly than extorting victims for monetary motivations.”
Written in .NET, the ransomware was first recognized by the India-based cybersecurity agency in March 2022, with the infections rendering delicate information inaccessible with out decrypting them. The malware, which makes use of the AES algorithm for encryption, can also be notable for sleeping for 722.45 seconds to intrude with dynamic evaluation.
The encryption course of is adopted by displaying a multiple-paged ransom observe that requires the victims to hold out three socially-driven actions to have the ability to get hold of the decryption package.
This contains donating new garments and blankets to the homeless, taking any 5 underprivileged kids to Domino’s Pizza, Pizza Hut, or KFC for a deal with, and providing monetary help to sufferers who want pressing medical consideration however haven’t got the monetary means to take action.
Moreover, the victims are requested to file the actions within the type of screenshots and selfies and put up them as proof on their social media accounts.
“As soon as all three actions are accomplished, the victims must also write a observe on social media (Fb or Instagram) on ‘The way you reworked your self into a sort human being by changing into a sufferer of a ransomware known as GoodWill,'” the researchers stated.
There aren’t any recognized victims of GoodWill and their precise techniques, methods, and procedures (TTPs) used to facilitate the assaults are unclear as but.
Additionally unrecognized is the identification of the menace actor, though an evaluation of the e-mail handle and community artifacts means that the operators are from India and that they converse Hindi.
Additional investigation into the ransomware pattern has additionally revealed important overlaps with one other Home windows-based pressure known as HiddenTear, the primary ransomware to have been open-sourced as a proof-of-concept (PoC) again in 2015 by a Turkish programmer.
“GoodWill operators might have gained entry to this permitting them to create a brand new ransomware with mandatory modifications,” the researchers stated.