When Ransomware Demands Good Deeds: Inside the GoodWill Malware
The GoodWill ransomware, discovered by CloudSEK in Mumbai, forces victims to perform three charitable acts, document them, and post a personal essay before providing a decryption key, while employing .NET, UPX packing, AES encryption, and location‑tracking techniques.
GoodWill Ransomware Overview
GoodWill ("善意") is a ransomware that, unlike typical extortion tools, does not demand money directly. Instead, it requires victims to complete three charitable tasks and record the process to obtain the decryption key.
The three required actions are:
Donate new clothing to homeless people and document the activity.
Take at least five underprivileged children to fast‑food restaurants such as KFC, Pizza Hut, or Domino's, record photos or videos, and share them on social media.
Provide financial assistance to individuals in need at a nearby hospital, record audio evidence, and share it online.
After completing these tasks, victims must also write a short essay titled "How I Became a Good Person After Being Attacked by GoodWill" and post it on Facebook or Instagram before the ransomware releases the full decryption toolkit.
Technical Details
GoodWill is written in .NET and packed with UPX. To hinder dynamic analysis, it includes a sleep delay of 722.45 seconds. It encrypts files using AES encryption and can encrypt every file on the system, including databases, photos, and videos.
The malware contains a function called GetCurrentCityAsync that detects the infected device’s geographic location.
Discovery and Attribution
Risk‑management firm CloudSEK first identified GoodWill, tracing its command‑and‑control infrastructure to Mumbai, India. Their analysis suggests the ransomware’s primary motive is to promote social justice rather than financial gain.
CloudSEK also found a relationship between GoodWill and the HiddenTear ransomware: out of 1,246 strings in GoodWill, 91 overlap with HiddenTear, indicating possible code reuse or shared development.
Historical Context
GoodWill is not the first ransomware to incorporate “good deeds.” In 2021, the DarkSide group hijacked a U.S. fuel‑pipeline operator, demanding ransom while publicly listing victims and claiming to donate part of the proceeds to charity.
Although the intention may appear benevolent, using malware to coerce charitable actions remains illegal and raises serious information‑security concerns.
Reference links are provided at the end of the original article.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.