GoodWill Ransomware Detection: New Malware Forces Its Victims to Pay Back to Society

A rather peculiar type of malware has recently hit the headlines. The new strain is dubbed GoodWill ransomware, and its novelty lies in the nature of the demands that victims have to fulfill to get the decryption key. The ransomware operators, claiming that they are “hungry for kindness”, expect their targets to support those in need. As part of ransomware demands, those forced acts of charity must be documented and shared online via the victim’s social media accounts.

The GoodWill ransomware strain was first spotted in March 2022. The malware analysis showed that the variant in question is .NET-based and uses the AES encrypt (aka Rijndael) to encrypt files on a compromised device. Researchers identified 1246 strings of this ransomware, with 91 overlapping with the HiddenTear.

Detect GoodWill Ransomware

The Sigma rule below, released by perspicacious Threat Bounty developer Furkan Celik, allows for effortless detection of the latest attacks involving the GoodWill ransomware:

Detect Malicious Files of the Goodwill Ransomware Group (via file_event)

The rule is aligned with the latest MITRE ATT&CK® framework v.10. addressing the Command and Control tactic with Ingress Tool Transfer (T1105) technique. Security practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 19+ security solutions.

Adepts at cybersecurity are more than welcome to join the Threat Bounty Program to share their SOC content on the industry-leading platform for recurring monetary rewards.

An all-encompassing library of SOC content is available to all users with an active account on SOC Prime’s platform. Hit the Detect & Hunt button to explore Sigma and YARA rules that will help you detect ransomware breaches that may interrupt your business. By clicking the Explore Threat Context button, even non-registered security professionals can access trending detection content with all relevant context.

Detect & Hunt Explore Threat Context

GoodWill Ransomware Description

A very unusual threat actor has surfaced in late Spring 2022. The adversaries spread GoodWill ransomware, forcing their victims to be “gentle and kind” to get their files decrypted. Researchers from CloudSEK have tagged the threat actors behind the distribution of the strain as a Robin Hood-like adversary group, with some of the hackers’ traces indicating their Indian location.

The ransomware dubbed GoodWill is packed with UPX packers and lies dormant upon infection for almost 12 minutes to meddle with dynamic analysis.

The ransomware note includes a detailed description of what adversaries expect and instructions on three goodwill tasks performed by the victim and shared on their Facebook or Instagram accounts. Until the demands are fulfilled, the victim’s files are held encrypted.

Get a subscription to Threat Detection Marketplace – a world-leading platform for collaborative cyber defense that provides cross-vendor and cross-tool SOC content tailored to 25 market-leading SIEM, EDR, and XDR technologies. The content is continuously enriched with additional threat context, as well as checked for impact, efficiency, false positives, and other operational considerations through a series of quality assurance audits.