By Edwin Doyle, Global Security Evangelist, Check Point Software.

GoodWill ransomware forces victims to record acts of kindness and to then publish corresponding content on social media.

GoodWill ransomware

In traditional ransomware attacks, the ransomware operators hold files or networks hostage in exchange for a ransom. They demand anywhere from hundreds to millions of dollars in exchange for the safe custodial transfer of your property back to your guardianship.

Should you refuse to pay, hackers are liable to leak or destroy your files, or to sell access to your network. The GoodWill ransomware approach is different.

How GoodWill works

Rather than requiring organizations to pay a $1 million ransom, the GoodWill ransomware demands that targets perform acts of charity.

The ransomware still has the same basic functions of any other ransomware – it encrypts the majority of file types; from videos to databases. In the absence of a decryption key, you will remain unable to recover your files.

But, as noted previously, this ransomware does not require any payment at all – through cryptocurrency or otherwise. If you/your organization performs three kind deeds, you are reportedly guaranteed to see your files or your network restored.

GoodWill ransomware nuances

On the surface, the GoodWill ransomware operators’ demands might sound like a step up in the ransomware world. Until…You realize that the criminals are asking victims to publicly embarrass themselves on social media.

After all, the criminals are requesting for organizations to post specific items to social media in order to recover things that should have been better secured in the first place. The level of manipulation and brand reputational damage packaged into this scheme is stomach churning.

Mandatory victim activities

Here’s what the ransom notes say that victims must do:

Activity 1: “…we all know thousands of people die due to sleeping on the roadside in the cold because they do not have clothes to cover their body. So your 1st task is to provide new clothes/blankets to needy people of [the] roadside and make a video of this event. Later, post this video/photo to your Facebook, Instagram and WhatsApp stories by using photo frame provided by us and encourage other people to help needy people in winters. Take a screen shot of your post and send email to us with valid post link…”

Once this activity is completed, ransomware operators state that they will confirm and then provide the next set of activity instructions.

Activity 2: In the second piece of these attackers’ scavenger hunt, victims are instructed to feed needy children. The note explains how many people do not have the luxury of dinner every night.

“In the evening, pick any 5 poor children (under 13 years) of your neighborhood and take them to Dominos, Pizza Hut or KFC, then allow them to order the food they love to eat and try to make them feel happy. Treat those kids as younger brothers. Take some Selfies of them with full of smiles and happy faces…”

Afterwards, victims must take screenshots of corresponding posts on social media. This ‘task’ concludes with the line, “Help those less fortunate than you, for it is real human existence.”

Activity 3: In the third component of this triathlon, the hackers request for the victim to identify those who need assistance paying for medical treatments, and for the victim to support those individuals financially. “Provide them with the maximum part of [the] required amount.”

Victims are then asked to take selfies with the needy and to share them on Facebook and Instagram.

GoodWill ransomware’s not-so-good will

Demanding that people move forward with performative acts of kindness or else face blackmail arguably doesn’t reflect such good-will. The entire package also leads us to wonder about the future of ransomware threats. Will we see more demands like this, or even greater theatrics?

For more on this story, please see’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the newsletter.