Ransomware encrypts files, demands three good deeds to restore data

Shut up and take ... poor kids to KFC?


In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

"As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

The security researchers believe the malware's operators are from India or based there. They said they traced an email address provided by the ransomware group to an India-based managed security services provider. Additionally, two IP addresses, 3[.]109.48.136 and 13[.]235.50.147, that the malware connects to are said to be located in Mumbai.

Plus, the team noted a string in the code written in Hinglish, which the analysts said indicated the operators are from India and speak Hindi. The string, "error hai bhaiya,"  according to CloudSek, means "there is an error, brother."

The ransomware, which the researchers said is written in .NET and packed with UPX, uses AES to encrypt files on infected Windows machines. There is evidence it tries to detect the geolocation of the compromised device, too, if this is all to be believed.

After it has infected the victim's PC – it's not said how that happens, but we imagine via email or a fake app installer – the GoodWill ransomware scrambles documents, photos, videos, databases, and other files. And then it drops three "Goodwill Activity" notes on the device with instructions to complete to download the tool to restore the encrypted data.

According to the CloudSek analysis, the do-gooder gangsters first task a victim with providing fresh clothes or blankets to "needy people on the side of the road," video the deed, and then post the footage to Facebook, Instagram, and WhatsApp stories using a photo frame that the ransomware group provides to the victim. 

The frame, decorated with flowering hearts, says "I Help Need Peoples" across the top, with a space in the middle for the victim's image, and "I Am Kind, So So Much Kind" at the bottom.

The next goodwill demands follow in similar form. Activity two: take five poor kids from the neighborhood to Dominos, Pizza Hut, or KFC, take selfies, and post on social media. And finally: visit a nearby hospital, find people who can't pay for their treatment, and provide the needed financial assistance, "take some selfies with them with full of smiles and happy faces," record the full audio of the interaction, and send it to the operators. Again, did we mention how creepy this is?

After completing all three tasks, the victims must also "write a beautiful article" on social media about "how you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill." Once this is all done and verified by the miscreants, you get your decryption tool, allegedly.

Links to HiddenTear ransomware

In addition to attributing the ransomware to operators based in India, the security researchers also noted a connection to the HiddenTear ransomware, an open-source strain developed by a Turkish programmer who released a proof-of-concept version on GitHub. Of the GoodWill ransomware's 1,246 strings, 91 overlap with the HiddenTear, according to CloudSek.

"GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications," CloudSek wrote this week.

The researchers also provide the following indicators of compromise:

  • MD5: cea1cb418a313bdc8e67dbd6b9ea05ad
  • SHA-1: 8d1af5b53c6100ffc5ebbfbe96e4822dc583dca0
  • SHA-256: 0facf95522637feaa6ea6f7c6a59ea4e6b7380957a236ca33a6a0dc82b70323c
  • Vhash: 27503675151120c514b10412
  • Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

And while we here at The Register love to see random acts of kindness performed in our communities, we need to underscore: using malware to extort good deeds is neither random, nor true kindness, not to mention probably illegal. If you really want to do good, there are plenty of opportunities that don't involve infecting people's devices and encrypting their photos. It might even start with uninstalling Windows. ®


Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading

Biting the hand that feeds IT © 1998–2022