Cybersecurity Ransomware

Ransomware for Good? Acts of Kindness Demanded of Victims

Ransomware is one of the main cyber attacks that affects individuals and businesses alike today. This attack sees the malicious actor threaten the targeted victim by stealing their sensitive data and holding it for ransom with the threat of either destroying the data or selling it on the dark web if the ransom is not paid up. It is among the most stressful and costly attacks a business may encounter — the average ransom demanded of victims quadrupled from 2018 ($5,000 per attack) to 2020 ($20,000 per attack on average).

One would think that this is a type of cyber attack that is particularly malicious in nature, never really having an upside. Despite this, one hacker group has made a valiant effort in changing the public image of ransomware. How you may ask? Changing the type of ransom demanded. GoodWill ransomware is like other ransomware attacks where it steals and encrypts a victim’s files; however, unlike typical ransomware variants we see, this one does not extort money from its victims, but instead asks for proof of acts of kindness in order for the encrypted files to be returned.

As is common with other ransom attacks, GoodWill provides its victims with a ransom note; theirs reads

“Our Aim: The word “GoodWill” means to show kindness Story: Team GoodWill is not hungry of Money and Wealth but kindness. We want to make every person on the planet to be kind and wants to give them a hard lesson to always help poor and needy people. So, all our victims need to be gentle and kind to get their files back. We know that you are very excited for the play. Take Deep breath and look all around for those who needs help? You! No way, the only way to help yourself is to help others hope you understand”


Three acts of goodwill were requested: first, a video of the victim giving assistance to people sleeping in rough conditions posted to their social media accounts to encourage others to help those in need. Secondly, the attackers asked that the victim of the ransomware attack take five poor children to a pizza place and let them order any food that they wanted. Third, the GoodWill ransomware perpetrators asked that the victim of their own attack provide money to those who needed urgent medical assistance but were unable to pay themselves. Once convincing evidence is provided to the group that all steps had been satisfied, then a decryption tool would be provided for the recovery of the files.

Whether you agree with the goal behind these Black Mirror-esque ransomware attacks or not, it is interesting to see the alternate approach taken by a ransomware group. Avoid ransomware of any kind by teaching your employees about phishing attacks, as these are a common entry point for ransomware perpetrators to gain access to a company’s networks. Additionally, keep all devices and networks up-to-date so that they aide you in your cybersecurity journey. If possible, encrypt data in order to further protect it.

Image by for Freepik.