Food For Files: GoodWill Ransomware demands food for the poor to decrypt locked files

GoodWill ransomware attackers share a three-page ransom note asking the victim to perform three tasks to get the decryption key- they want them to donate to the homeless, feed poor kids, and provide financial assistance to a patient in need.

CloudSEK Threat Intelligence Research team has warned about new ransomware dubbed GoodWill Ransomware that can cause temporary to permanent data loss and may also shut down operations, leading to massive revenue losses.

The digital risk monitoring service also reported that they traced the email IDs of the GoodWill Ransomware operators to an Indian IT security solutions/services provider offering end-to-end managed security services.

It is worth noting that this campaign was detected in New Delhi, India, in March 2022. According to CloudSEK’s analysis of the GoodWill Ransomware campaign, “the operators are allegedly interested in promoting social justice rather than conventional financial reasons.”

Ransom note of GoodWill ransomware gang (Image: CloudSEK) GoodWill Ransomware details

The GoodWill Ransomware is written in .NET and is equipped with UPX packets. The malicious software sleeps for 722.45 secs to interrupt dynamic analysis and leverages the AES_Encrypt feature and the AES algorithm for encrypting data.

One of its strings titled GetCurrentCityAsync can detect the

Read More: