GoodWill Ransomware Forces Victims to Do Good Deeds – How It Works

The "Goodwill" Attack

Security firm CloudSEK identified a new ransomware named GoodWill that, unlike typical extortion malware, does not demand money but forces victims to perform three charitable actions to obtain the decryption key.

The required deeds are:

Donate new clothing to homeless people and record the act.

Take at least five underprivileged children to a fast‑food restaurant (e.g., KFC, Pizza Hut, Domino's), photograph or video the event, and share it on social media.

Provide financial assistance to anyone in a hospital who cannot afford urgent medical care, record the assistance, and post it online.

After completing these tasks, victims must also write a short essay titled “How I Became a Good Person After Being Hacked” on Facebook or Instagram. Once the essay is posted, GoodWill supplies a complete decryption package, including the decryption tool, password files, and a video tutorial.

Note: A new ransomware called GoodWill has appeared.

Technical analysis shows GoodWill is written in .NET , packed with UPX , and includes a 722.45‑second sleep to thwart dynamic analysis. It encrypts files using AES and can encrypt every file on the system, including databases, photos, and videos. The malware also contains a GetCurrentCityAsync function to detect the infected device’s geographic location.

CloudSEK traced the threat actors to Mumbai, India, and observed that the ransomware appears more interested in promoting social justice than extracting ransom money.

Further research revealed that GoodWill shares 91 identical strings with the open‑source ransomware HiddenTear , suggesting a possible code reuse or evolution.

Earlier Ransomware That Tried to Do Good

Previous ransomware groups, such as the Russian‑linked DarkSide, have also combined extortion with charitable donations, claiming they would not target schools, hospitals, or non‑profits. However, using malware to coerce philanthropy remains illegal and raises security concerns.

One More Thing

Some netizens reacted humorously, even begging the attackers to lock their computers at specific times, highlighting the bizarre blend of cybercrime and forced altruism.