[MART] - Daily Diary #520 - GoodWill Ransomware Is Not So Good

CTAS-MAT ctas-mat at appgate.com
Fri May 27 20:47:33 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

05/27/2022 - Diary entry #520:

GoodWill is ransomware written in VB (.NET). First spotted in New Delhi, India in March 2022, this ransomware, unlike other ransomware, is not interested in extorting money from victims, but rather in promoting "social justice".

When the device or system is infected, the GoodWill ransomware worm sleeps for 722.45 seconds to interfere with dynamic analysis and subsequently encrypt all important documents, photos, videos, databases, and other files using the AES algorithm making them inaccessible. Compared to other ransomware, GoodWill is very simple, adopting only symmetric ciphers without key randomization for encryption and no obfuscation techniques.

In exchange for the decryption key, the actors suggest the victims perform three social activities such as donating clothes to the homeless, providing food to children in brand-name pizzerias, and offering financial assistance to those who need urgent medical attention. In addition to registering each activity and compulsorily publishing images, videos, etc. on their social media accounts.

At first glance, "GoodWill" seems to be not so bad, but it's important to consider the fact that a ransomware attack can cause irreparable damage to companies and individuals, as some processes and operations can be very sensitive to be stopped even for a few days. Even with the decryptor, which is not guaranteed, some files may fail to be recovered, as the encryption process can fail or break the file - that happens in lots of ransomware attacks, more commonly with big files. Getting people to upload videos of themselves performing puzzling and potentially dangerous tasks is also an invasion of their privacy. GoodWill - and any other "social justice" malware - should be treated as a threat nevertheless.

Kind Regards,




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220527/e1b11a0e/attachment.htm>


More information about the MART mailing list