'GoodWill' ransomware demands victims donate to charity

The hackers require victims to perform three charitable activities in order to receive the decryption key.

 A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.  (photo credit: REUTERS/KACPER PEMPEL/FILE PHOTO)
A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.
(photo credit: REUTERS/KACPER PEMPEL/FILE PHOTO)

A new GoodWill ransomware is forcing its victims to donate to the poor and help the needy in an unusual Robin Hood-esque form of hacktivism, according to a report by the CloudSEK cybersecurity company.

The ransomware, first identified by CloudSEK in March, encrypts documents, photos, videos, databases and other important files and makes them inaccessible without the decryption key.

The hackers require victims to perform three charitable activities in order to receive the decryption key.

How does the hacking process go?

The first activity requires the victims to donate new clothes to the homeless, the second activity requires them to take five less fortunate children to a restaurant for a treat and the third activity requires them to provide financial assistance to anyone who needs urgent medical attention but cannot afford it.

The victims are required to record each activity and upload it to social media with a photo frame and caption provided by the hackers.

 People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO) People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO)

Once all three activities are completed, the hackers require the victims to write a note on social media on "How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill."

According to CloudSEK, there are no known victims of the ransomware as of yet.

Finding the source of the hack

The cybersecurity company were able to trace the email address provided by the ransomware group back to an Indian based IT company. The ransomware has any similarities with the open-source Hidden Tear ransomware.

CloudSEK also found a line in the code of the ransomware reading "error hai bhaiya," which means "there is an error, brother" in Hinglish. The company pointed out that this indicates that the operators are from India and speak Hindi.

The company was also able to trace two IP addresses in the ransomware to Mumbai, India.