New ransomware demands victims to donate to poor

GoodWill attackers appear to be motivated by social justice rather than monetary gain

Anthony Cuthbertson
Monday 23 May 2022 15:20 BST
Goodwill ransomware demands victims help feed or provide financial aid to those in need
Goodwill ransomware demands victims help feed or provide financial aid to those in need (Getty Images/iStockphoto)

Security researchers have uncovered a new form of ransomware that demands victims to donate clothes and food to those in need in order to recover their data.

The GoodWill ransomware was first identified by cyber security firm CloudSEK in March 2022, with attackers appearing to be motivated by social justice rather than monetary gain.

Businesses and individuals targeted with the ransomware are ordered to carry out various acts of kindness and post about it on social media. Anyone not complying risks losing access to their data.

Ransomware attacks typically involve sending an email or online message to a target, with the hope that they will click on a link containing malicious software that will automatically download and encrypt the victim’s computer or entire IT network.

In order to regain access, victims are usually asked to pay a fee payable in bitcoin or another semi-anonymous cryptocurrency.

A CloudSEK report detailed how GoodWill attackers used an entirely different ransom method for victims to receive the decryption kit.

“As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons,” the report stated.

“The actors suggest that victims perform three socially driven activities in exchange for the decryption key: Donate new clothes to the homeless, record the action, and post it on social media; Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media; And provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.”

The researchers claim to have traced the ransomware group back to “an India-based IT security solutions & services company”, which provides “end-to-end managed security services”.

The Independent has reached out to CloudSEK for further comment and information about whether any victims have yet complied with the hackers’ demands.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in