'Robin Hood' ransomware forces victims to do good

SPECIAL SERIES: Gang makes victims buy KFC for poor kids.

June 7, 2022

2 Min Read

SPECIAL SERIES: Gang makes victims buy KFC for poor kids.

A Robin Hood-like ransomware group called GoodWill demands that its victims help the poor to restore access to their data secure, according to a report from AI cybersecurity firm CloudSEK.

GoodWill “propagates very unusual demands in exchange for the decryption key,” according to the company’s researchers. “As the threat group’s name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons.”

Unlike most bad actors, the malicious hackers are not asking for money for themselves. Instead, they want the victims to do three charitable acts and share videos of their acts on social media.

  • Donate new clothes or blankets to the homeless

  • Take five poor children under 13 to Dominos, Pizza Hut or KFC

  • Visit a hospital and pay for medical treatment of needy people

After doing the three activities, victims must write a note on social media about “How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill.”

After verification from the hackers, the victim will receive a decryption kit, including a password file, the decryption tool, and a video tutorial on how to recover files.

The malware included text in Hinglish (mash up of Hindu and English) that translated to “there is an error, brother” and the IP addresses are traced back to Mumbai, India. This led the researchers to believe the threat actors may be based in India.

No victims have gone public to date, so the group’s tactics, techniques and procedures are not known. Researchers found similarities to HiddenTear, an open-source ransomware created by a Turkish developer.

GoodWill maliciously encrypts photos, videos, databases, documents, and other files. It could also expose intellectual property and confidential company data. The software sleeps for 722.45 seconds to interfere with the dynamic analysis of a computer system.

Related stories:

Ransomware: The world's no. 1 cybersecurity threat

Cybersecurity survey: 80% of companies globally hit by ransomware attack

Cardiologist moonlights as ransomware mastermind

Ransomware deals death blow to historic US college

Get the newsletter
From automation advancements to policy announcements, stay ahead of the curve with the bi-weekly AI Business newsletter.