Cyber security experts CloudSEK They talked about the hacker group GoodWill, which distributes a ransomware virus, but in order to decrypt the data, it requires the victim not to pay a ransom, but to do good deeds. For example, donate blankets to the homeless, feed starving children with fast food, or pay for treatment for the poor, capture all this on photos and videos, and then post them on social networks.
According to experts, the ransomware operators work from India – this is indicated by their emails and IP addresses assigned to Mumbai, to which the virus accesses. In addition, in one of the lines of code, an entry in Hinglish, a mixture of Hindi and English, was found. The malware is written in the .NET framework, compressed with the UPX executable file packer, and data on infected Windows machines is encrypted using the AES algorithm.
After infecting the victim’s PC, the GoodWill virus encrypts files of various formats on it and offers three good deeds to decrypt them: donate clothes or blankets “needy on the road”take five poor children to a fast food restaurant, and visit the nearest hospital and pay for treatment for a person who is unable to do this on their own.
The first two actions must be documented on social networks using the photo frame offered by the hackers, and the last one should be taken with the object of help and sent along with the audio recording of the conversation with this person to the operators of the ransomware virus. After completing these three good deeds, you need to write and post an article on the social network on the topic How did you become a kind person after being a victim of the GoodWill ransomware virus?. After that, the hackers allegedly send a tool to decrypt the data.
Experts have discovered a connection between GoodWill and a sample of experimental malware HiddenTear, which was developed and placed on GitHub by a certain Turkish programmer for security reasons. As reported by CloudSEK, 91 out of 1246 lines of GoodWill code matches the HiddenTear sample.
If you notice an error, select it with the mouse and press CTRL + ENTER.