GoodWill Ransomware: When Hackers Demand Charity Instead of Money

GoodWill Ransomware: "Goodwill" Attack

This ransomware, named GoodWill (善意), was first identified by the risk‑management firm CloudSEK. Unlike typical ransomware that demands money, GoodWill requires victims to complete three charitable tasks to obtain the decryption key.

Task 1: Donate new clothing to homeless people and record the act on social media.

Task 2: Take at least five impoverished children to fast‑food restaurants such as KFC or Pizza Hut, photograph or video the experience, and share it online.

Task 3: Provide financial assistance to patients in need at a hospital, record audio, and post it on the internet.

After completing the tasks, victims must also write a short essay on Facebook or Instagram titled "How I Became a Good Person After Being a GoodWill Victim" before receiving the full decryption toolkit.

CloudSEK warned that a new ransomware called GoodWill had appeared.

The attackers were traced to an Indian IT security company based in Mumbai. Technical analysis shows GoodWill is written in .NET, packed with UPX, and includes a 722.45‑second sleep to hinder dynamic analysis. It uses AES encryption and a function named GetCurrentCityAsync to detect the infected device’s location, encrypting every file on the system, including databases, photos, and videos.

GoodWill’s decryption guide spans three pages and requires the three charitable activities. The ransomware also demands that victims post a "small essay" online before the decryption tools are released.

Further research linked GoodWill to the HiddenTear ransomware family; 91 of GoodWill’s 1246 strings overlap with HiddenTear, suggesting code reuse or shared development.

Previous Ransomware with “Good Deeds”

Other ransomware groups have employed similar tactics. In 2021, the Russian DarkSide gang extorted a U.S. fuel pipeline and, paradoxically, donated a portion of the ransom to charitable causes while claiming they would not target schools, hospitals, or non‑profits.

These cases raise ethical questions: using malicious software to force charitable actions blurs the line between crime and altruism, potentially causing public panic and legal repercussions.

One More Thing

Netizens have responded with humor, even pleading with the attackers to continue their “good‑will” demands, highlighting the absurdity of the situation.