A yet unknown threat actor wants to be the Robin Hood of the cyber-era, albeit with a twist. Instead of stealing from the rich and giving to the poor, this group forces the poor to give directly to the rich - by holding their precious data hostage until they do.
Cybersecurity researchers from CloudSEK recently discovered a ransomware strain named “GoodWill” that still infects companies, but instead of asking for payment, it’s asking for acts of goodwill against those less fortunate, all of which need to be documented and presented both publicly, and to the threat actor itself.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Helping the poor
Once a company gets infected with GoodWill, it needs to do three things:
- Provide homeless people found on the side of the road with new clothes and warm blankets. The victim must also document the act with photos and videos, add them to the photo frame provided by the attackers, and then share on their social media (Facebook/Instagram/WhatsApp). Screenshots of those posts, together with the links, need to be sent back to the attackers, in order to receive the second assignment:
- Buy food for poor children. In the evening, five poor kids need to be taken down to their favorite fast food restaurant and allowed to order whatever they can. The steps for this task are the same - document, post online, share with the attackers. Finally, step number three:
- Go to the nearest hospital and pay for someone’s treatment.
After all these things, the victims need to write a “beautiful article” about their deeds, and discuss how suffering an attack at the hands of GoodWill turned them into kind human beings. Once the threat actor verifies all was done as requested, the victims will receive the decryption key.
The researchers seemingly tracked the attackers to India, and although it cannot be absolutely certain, suspects this is the same malware (opens in new tab) group that operates the HiddenTear ransomware.