Organizations impacted by the GoodWill ransomware gang are being ordered by attackers to carry out good deeds before being able to download a tool for file decryption, The Register reports.
Suspected Indian ransomware group GoodWill has been demanding victims to perform three good deeds which include giving blanket donations to the homeless, feeding needy children, and providing hospital patients financial assistance for treatments that should then be documented on social media, according to a report from CloudSEK's threat intel team. "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," said CloudSEK.
Researchers identified that GoodWill has been using a .NET-based ransomware with UPX, as well as leverages AES for file encryption. CloudSEK researchers have also discovered GoodWill's association with the HiddenTear ransomware, due to the former sharing 91 of 1,246 strings with HiddenTear. "GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications," wrote researchers.
More threat actors have used disk-wiping malware in cyberattacks since the beginning of the ongoing war between Russia and Ukraine, with Ukrainian government, military, and private entities having been targeted with at least seven new major wiper variants, according to VentureBeat.