Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its Victims to donate to the poor and provides financial assistance to the patients in need.

Category: Malware Intelligence	Type/Family: Ransomware	Industry: Multiple	Region: Global

Executive Summary

• CloudSEK’s Threat Intelligence Research team has recently analyzed GoodWill ransomware.
• The ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.
• The group’s multiple-paged ransom note suggests that victims perform three socially driven activities to be able to download the decryption key.
• CloudSEK researchers have identified certain artefacts of the threat group that indicate direct attribution to India.

Analysis and Attribution for GoodWill Ransomware

Features of the GoodWill Ransomware

GoodWill ransomware was identified by CloudSEK researchers in March 2022. As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons. CloudSEK researchers have been able to identify the following features of GoodWill:

• The ransomware is written in .NET and packed with UPX packers.
• It sleeps for 722.45 seconds to interfere with dynamic analysis.
• It leverages the AES_Encrypt function to encrypt, using the AES algorithm.
• One of the strings is “GetCurrentCityAsync,” which tries to detect the geolocation of the infected device.

Once infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key. The actors suggest that victims perform three socially driven activities in exchange for the decryption key:

• Activity 1: Donate new clothes to the homeless, record the action, and post it on social media.

• Activity 2: Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media.

• Activity 3: Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.

• The ransomware group demands that the victims record each activity and mandatorily post the images, videos, etc. on their social media accounts.
• Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.”
• Since there are no known victims/ targets for the ransomware group, their Tactics, Techniques and Procedures remain unknown.

How to Acquire the Decryption Kit for GoodWill Ransomware

Upon completing all three activities, the ransomware operators verify the media files shared by the victim and their posts on social media. The actor will then share the complete decryption kit which includes the main decryption tool, password file and a video tutorial on how to recover all important files.

Information from Open Source

• Our researchers were able to trace the email address, provided by the ransomware group, back to an Indian based IT security solutions & services company, that provides end-to-end managed security services.
• On analyzing the ransomware, CloudSEK threat intelligence researchers extracted the strings of GoodWill:
  • There are some 1246 strings of this ransomware, out of which 91 strings overlap with the HiddenTear ransomware.
  • HiddenTear is an open-source ransomware developed by a Turkish programmer and its PoC was then released on GitHub. GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications.
  • CloudSEK researchers found the following strings of the malware interesting:
    • “error hai bhaiya”: This string is written in Hinglish, which means “there is an error, brother.” This indicates that the operators are from India and that they speak Hindi.

• • • “.gdwill”: This string indicates that the file extension used by the ransomware on encrypting files is .gdwill.

• The following network artifacts, associated with GoodWill, were discovered by our researchers. These are GoodWill ransomware tunnels that are also subdomains of Ngrok.io:
  • http://9855-13-235-50-147(.)ngrok(.)io/ (Dashboard of GoodWill ransomware)
  • http://9855-13-235-50-147(.)ngrok(.)io/alertmsg(.)zip
  • http://9855-13-235-50-147(.)ngrok(.)io/handshake(.)php
  • http://84a2-3-109-48-136(.)ngrok(.)io/kit(.)zip

• As shown above, the IP addresses 3.109.48.136 and 13.235.50.147 are provided as subdomains in the URL. On a detailed investigation, our researchers discovered that both IP addresses are located in Mumbai, India.

Impact & Mitigation

Impact

Mitigation

The exposed confidential details could reveal business practices and intellectual property. It could also result in temporary, and possibly permanent, loss of company data. A possible shutdown of the company’s operations and accompanied revenue loss. Financial loss associated with remediation efforts. Damage to the company’s reputation. Potential account takeovers. Criminals could use personal data such as name, date of birth, address etc., in tandem with social engineering and identity theft.

Audit and monitor event and incident logs to identify unusual patterns and behaviors. Implement security configurations on network infrastructure devices such as firewalls and routers. Enable tools and