Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GoodWill Ransomware victims have to perform socially driven activities to decryption their data

Researchers discovered a new ransomware family called GoodWill that asks victims to donate the ransom for social causes. CloudSEK’s Threat Intelligence Research team has disclosed a new ransomware strain called GoodWill, that demands victims the payment of a ransom through donations for social causes and financially helping people in need. “The ransomware group propagates very unusual demands in […]

GoodWill

Researchers discovered a new ransomware family called GoodWill that asks victims to donate the ransom for social causes.

CloudSEK’s Threat Intelligence Research team has disclosed a new ransomware strain called GoodWill, that demands victims the payment of a ransom through donations for social causes and financially helping people in need.

“The ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.” reads the analysis published by CloudSEK. “The group’s multiple-paged ransom note suggests that victims perform three socially driven activities to be able to download the decryption key.”

GoodWill

The GoodWill ransomware is written in .NET, in order to evade detection it is packed with UPX packers and sleeps for 722.45 seconds before starting its activity.

The researchers attribute the attack to a threat actor based in India. Ransomware operators request the victims to perform three socially driven activities in exchange for the decryption key.

Researchers observed that the ransomware code is based on the HiddenTear open-source ransomware.

Victims have to donate new clothes to the homeless, record their action, and post it on social media. In addition, the victims can accompany less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media.

The last action for the victims consists of providing financial assistance to anyone who needs urgent medical attention, but cannot afford it, at a nearby hospital, recording audio, and sharing it with the operators.

“Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.” said the researchers. “Since there are no known victims/ targets for the ransomware group, their Tactics, Techniques and Procedures remain unknown.”

The researchers also shared indicators of compromise (IoCs) for this ransomware.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GoodWill ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]