Skip links

Ransomware encrypts files, demands three good deeds to restore data

In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we’re told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

The so-called GoodWill ransomware group, first identified by CloudSEK’s threat intel team, doesn’t appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

“As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons,” according to a CloudSEK analysis of the gang. 

The security researchers believe the malware’s operators are from India or based there. They said they traced an email address provided by the ransomware group to an India-based managed security services provider. Additionally, two IP addresses, 3[.]109.48.136 and 13[.]235.50.147, that the malware connects to are said to be located in Mumbai.

Plus, the team noted a string in the code written in Hinglish, which the analysts said indicated the operators are from India and speak Hindi. The string, “error hai bhaiya,”  according to CloudSek, means “there is an error, brother.”

The ransomware, which the researchers said is written in .NET and packed with UPX, uses AES to encrypt files on infected Windows machines. There is evidence it tries to detect the geolocation of the compromised device, too, if this is all to be believed.

After it has infected the victim’s PC – it’s not said how that happens, but we imagine via email or a fake app installer – the GoodWill ransomware scrambles documents, photos, videos, databases, and other files. And then it drops three “Goodwill Activity” notes on the device with instructions to complete to download the tool to restore the encrypted data.

According to the CloudSek analysis, the do-gooder gangsters first task a victim with providing fresh clothes or blankets to “needy people on the side of the road,” video the deed, and then post the footage to Facebook, Instagram, and WhatsApp stories using a photo frame that the ransomware group provides to the victim. 

The frame, decorated with flowering hearts, says “I Help Need Peoples” across the top, with a space in the middle for the victim’s image, and “I Am Kind, So So Much Kind” at the bottom.

The next goodwill demands follow in similar form. Activity two: take five poor kids from the neighborhood to Dominos, Pizza Hut, or KFC, take selfies, and post on social media. And finally: visit a nearby hospital, find people who can’t pay for their treatment, and provide the needed financial assistance, “take some selfies with them with full of smiles and happy faces,” record the full audio of the interaction, and send it to the operators. Again, did we mention how creepy this is?

After completing all three tasks, the victims must also “write a beautiful article” on social media about “how you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.” Once this is all done and verified by the miscreants, you get your decryption tool, allegedly.

Links to HiddenTear ransomware

In addition to attributing the ransomware to operators based in India, the security researchers also noted a connection to the HiddenTear ransomware, an open-source strain developed by a Turkish programmer who released a proof-of-concept version on GitHub. Of the GoodWill ransomware’s 1,246 strings, 91 overlap with the HiddenTear, according to CloudSek.

“GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications,” CloudSek wrote this week.

The researchers also provide the following indicators of compromise:

  • MD5: cea1cb418a313bdc8e67dbd6b9ea05ad
  • SHA-1: 8d1af5b53c6100ffc5ebbfbe96e4822dc583dca0
  • SHA-256: 0facf95522637feaa6ea6f7c6a59ea4e6b7380957a236ca33a6a0dc82b70323c
  • Vhash: 27503675151120c514b10412
  • Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

And while we here at The Register love to see random acts of kindness performed in our communities, we need to underscore: using malware to extort good deeds is neither random, nor true kindness, not to mention probably illegal. If you really want to do good, there are plenty of opportunities that don’t involve infecting people’s devices and encrypting their photos. It might even start with uninstalling Windows. ®