GoodWill Ransomware Tries to Play at Robin Hood
GoodWill is a relatively new ransomware strain analyzed by security researchers with CloudSEK.
What particularly sets GoodWill aside from the majority of other ransomware clones and bigger families is the ransom note and purported motivation of the ransomware's operator. GoodWill does its best to persuade victims and the world at large that the group behind it is not a bunch of cybercriminals but benefactors and champions of noble causes. Of course, that is difficult when you are using cyber extortion tactics.
The GoodWill contains a surprisingly long ransom note, suggesting that the victim of the malware should perform weird acts of charity. The first page calls to "provide new clothes/blankets to needy people" and even "make a video of this event". The second "good deed" is taking poor children "from your neighborhood" and taking them out for pizza, to "make them feel happy". The third page asks the ransomware victim to go to a hospital and help people who need money for treatment.
Those extremely unusual requests are what the hackers expect in order to send a decryption key.
On the technical side of things, GoodWill encrypts files using AES. The ransomware is written and compiled using .NET and is then packed using UPX packer tools.
The ransomware, once executed, sleeps for over 10 minutes, in an attempt to dodge dynamic analysis. The examination performed by CloudSEK shows a significant overlap between GoodWill and the HiddenTear ransomware, which got its proof of concept code uploaded publicly online.