avoid GoodWill ransomware

Ransomware typically involves attackers encrypting various files on a victim’s computer and making demands in return for the decryption key. GoodWill ransomware is unusual in that its developers don’t demand money. Instead, victims are required to submit video evidence that they’ve performed three predetermined good deeds.

Some might argue that this is a way of enacting social justice. In reality, GoodWill is a lazy reuse of an existing tool intended to help prevent ransomware attacks. It’s unlikely to achieve much beyond damaging victims – both emotionally and financially. With this in mind, we’re going to look at how best to avoid GoodWill ransomware.

What is GoodWill ransomware?

GoodWill ransomware is a worm that infects a target computer and encrypts everything from documents to databases, rendering them inaccessible. It was identified by threat detection company CloudSEK in March 2022.

GoodWill ransomware is not a new variant of ransomware. Rather, it’s a rebranding of the Jasmin open-source ransomware tool. Jasmin was developed to simulate real ransomware attacks in-house so that others in the team could try stopping them.

GoodWill ransomware makes very minor changes to the wording and code of Jasmin in order to weaponise the program. It makes no changes to the requirements for victims’ data to be decrypted. The demands – which were most likely originally intended to be tongue-in-cheek – state that the victim must:

  1. Record a video where they provide new clothes or blankets to homeless people. Post the video to social media using a photo frame provided by the attackers. Take a screenshot and also email a link to the attackers.
  2. Take five less fortunate children out to a Dominos, Pizza Hut or KFC and allow them to order whatever they like. Video and photographic evidence should again be uploaded to social media and sent to the attackers.
  3. Visit a hospital and offer to pay for the treatment of anyone who seems unable to afford it. Audio and photographic evidence should be uploaded and sent to the attackers.

Once completed, the attackers further require the creation of a social media post outlining how victims were turned “into a kind human” by being subject to “ransomware called GoodWill.”

Following verification, victims can expect to receive a link for downloading a “decryption kit.” This includes a “main decryption tool, password file, and the video tutorial to recover all important files.”

How to avoid GoodWill ransomware 

GoodWill and other types of ransomware are a type of malware that are increasingly popular among cybercriminals. The bulk of ransomware attacks are focused on businesses in the US and Western Europe.

According to a Sophos report, 66% of organizations across 31 countries were victims of ransomware in 2021, up from 37% in 2020. This trend looks set to continue, with increasing prevalence of the ransomware-as-service (RaaS) model, in which developers sell pre-made ransomware online.

The good news is that, to date, there have been no recorded victims of GoodWill ransomware. Ransomware victims often prefer to keep quiet about attacks. Publicizing an attack can alert other attackers to flaws in the victim’s security and also indicate that they’re willing to pay a ransom. In the case of GoodWill, there would be little chance of “paying” the ransom discreetly.

Here’s how to avoid goodwill ransomware:

  • Learn how to identify malicious emails. They are a key vector for spreading ransomware. Warning signs include bad spelling and/or grammar, vague introductions, and encouragement to click on links or open attachments. Many malicious emails can be identified by inspecting the email header: the sender should have an email domain appropriate to the company they claim to be representing.
  • Make backups and know how to access them. Practice restoring them quickly and efficiently. The interval between backups should be decided based on the amount of data that it is potentially acceptable to lose.
  • Identify security gaps and ensure all software is kept up to date. Ensure there are no unmatched devices, unprotected machines, or open RDP ports on the network.
  • Use a robust firewall to monitor incoming traffic and prevent malware entering the network through a computer’s ports. Hardware firewalls are typically used in business settings, while software firewalls are designed for home users.
  • Antivirus software can take care of any malware that manages to evade the firewall and arrive at a particular computer. Detected threats are quarantined and/or deleted before causing any damage. Decent antivirus software will automatically update itself to protect against newly minted viruses and other types of malware.

How to remove GoodWill ransomware

Prevention, they say, is better than cure. This is certainly true of ransomware, where investing time and money into its prevention is far better than often futile attempts to undo existing damage.

Following infection, there’s normally much debate about whether to pay attackers the ransom they ask in return for freeing up encrypted data. However, the sad reality is that retrieving all of your data is unlikely. The Sophos report found that just 4% of organizations that paid the ransom asked of them got all of their data back.

Time will tell whether the GoodWill ransomware developers are willing – or able – to restore access to all encrypted data. Bear in mind that some ransomware – NotPetya, for example – is unable to actually revert its own changes.

In the meantime, the following information about GoodWill ransomware has been collected:

  1. It probably originates in India. CloudSEK researchers found that IP addresses linked to the GoodWill ransomware dashboard were located in Mumbai. In addition, one of the strings in the program’s code indicates the attackers speak Hindi.
  2. Data is encrypted using the AES algorithm, with encrypted files given the file extension: .gdwill.
  3. The code attempts to identify the location of the infected device using the “GetCurrentCityAsync” string.

Indicators of compromise (IoC) include the following artifacts:

  • MD5: cea1cb418a313bdc8e67dbd6b9ea05ad
  • SHA-1: 8d1af5b53c6100ffc5ebbfbe96e4822dc583dca0
  • SHA-256: 0facf95522637feaa6ea6f7c6a59ea4e6b7380957a236ca33a6a0dc82b70323c
  • Vhash: 27503675151120c514b10412
  • Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

Is GoodWill ransomware hacktivism?

Mainstream reporting of GoodWill ransomware has aligned it with hacktivism and portrayed its developers as Robin Hood-like characters. This seems a little generous. The demands of GoodWill are a little silly – which is only to be expected, given that they were lifted from a software tool designed for cybersecurity researchers to practice with.

But, if this isn’t hacktivism, what is? Hacktivism is where individuals or groups use hacking techniques as a form of civil disobedience. The aim is ultimately to affect social or political change.

Examples include Anonymous, which aims to create a “new form of collective politics,” and Hacktivismo, which is focused on the “development of software that empowers conduct forbidden by repression.”

Like any civil disobedience, whether hacktivists are “good” or “bad” depends on your feelings regarding the overarching power structures. Even within the hacktivist community there’s disagreement over which techniques are valid forms of protest. Many now argue against the use of tools such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, favoring instead techniques such as anonymous blogging, geobombing, website mirroring and the creation of censorship-evading software.