GoodWill Ransomware: Complete Guide 

GoodWill ransomware is a type of malware that infects a target computer and encrypts files, making them inaccessible to the user. It was first discovered in March 2022 and is considered a new variant of the Jasmin ransomware family, created from its open-source tool.

What sets GoodWill apart from other ransomware strains is its demand for victims to perform charitable acts or donate to social causes to regain access to their files, in a tactic similar to the Malas ransomware. The specific actions required by GoodWill ransomware may vary, but they often involve donating money or clothes to the poor.

The ransomware group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations. Victims are required to perform three predetermined good deeds, such as donating clothes to the homeless, feeding less fortunate children, and providing financial assistance to hospital patients. They must also document and share their acts of kindness on social media. Victims are typically given a deadline to complete the charitable acts, after which their files may be permanently deleted or the ransom amount may increase.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is GoodWill?

GoodWill is a type of malware that has been identified by an India-based cybersecurity firm as a strain of ransomware. It is a unique form of malware that forces victims to perform acts of charity and kindness in exchange for the decryption key.

Some notable features of GoodWill ransomware include:

• Written in .NET: The ransomware is developed using the .NET framework, a software development platform.
• AES encryption algorithm: GoodWill ransomware uses the AES encryption algorithm to block access to sensitive files, making it difficult for victims to recover their data without the decryption key.
• Sleeping for 722.45 seconds: The malware incorporates a sleep function, which delays its execution for approximately 722.45 seconds. This feature aims to interfere with dynamic analysis, making it harder for security researchers to study the ransomware’s behavior.

After the encryption process, GoodWill ransomware displays a multiple-paged ransom note that requires victims to carry out three socially-driven activities to obtain the decryption key. These activities can include donating to the poor, providing financial assistance to patients in need, or performing other acts of kindness

Everything we know about GoodWill ransomware

Confirmed Name

• GoodWill virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• .gdwill

Is There a Free Decryptor Available?

No, there’s no public decryptor for GoodWill ransomware.

Distribution methods

• Phishing emails
• Compromised credentials
• Unmanaged devices or bring your own device (BYOD)
• Internet-facing applications

Consequences

• Files are encrypted and locked
• Data leak
• Double extortion

What is in the GoodWill ransom note

The GoodWill ransomware displays a multiple-paged ransom note that requires victims to perform three socially-driven activities to obtain the decryption key. These activities can include donating new clothes to the homeless, taking less fortunate children to a fast-food restaurant for a treat, and providing financial assistance to anyone who needs urgent medical attention but cannot afford it. Victims are required to document and share their acts of kindness on social media.

The ransom note does not contain a specific name, but it is a unique feature of the GoodWill ransomware that distinguishes it from other ransomware strains.

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does GoodWill ransomware infect a machine?

Phishing emails, compromised credentials, unmanaged devices or bring your own device (BYOD), and internet-facing applications are common entry points for ransomware, including GoodWill ransomware.

Once the system is infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible to the victims. The encrypted files are given the file extension “.gdwill”. After the encryption process, GoodWill ransomware displays a multiple-paged ransom note that requires victims to carry out three socially-driven activities to obtain the decryption key.

Phishing emails

Phishing is a fraudulent practice in which an attacker masquerades as a reputable entity or person in an email or other form of communication. Phishing emails often tell a story to trick recipients into clicking on a link or opening an attachment, such as claiming there’s a problem with their account or offering a coupon for free stuff.

Attackers commonly use phishing emails to distribute malicious links or attachments that can extract login credentials, account numbers, and other personal information from victims.

Compromised credentials

Ransomware operators can gain access to systems using stolen or weak credentials.

This can occur through various means, such as credential stuffing, where attackers use previously leaked usernames and passwords to gain unauthorized access to accounts.

Unmanaged devices or bring your own device (BYOD)

Unmanaged devices or BYOD policies can introduce vulnerabilities to a network through unsecured or compromised devices.

Internet-facing applications

Internet-facing applications can be exploited by ransomware operators to gain unauthorized access to systems.

Organizations should ensure that their applications are properly secured and updated to minimize the risk of exploitation by ransomware operators.

How does GoodWill ransomware work

GoodWill ransomware is a unique form of malware that forces victims to perform acts of charity and kindness in exchange for the decryption key.

Here is how GoodWill ransomware works:

Infection

GoodWill ransomware can infect a system through various means, including phishing emails, compromised credentials, unmanaged devices or bring your own device (BYOD), and internet-facing applications.

Encryption

Once the system is infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible to the victims. The encrypted files are given the file extension “.gdwill”. GoodWill ransomware uses the AES encryption algorithm to encrypt victims’ files. AES is a widely used encryption standard that is considered to be secure and robust. It is also extremely hard to break.

Ransom note

After the encryption process, GoodWill ransomware displays a multiple-paged ransom note that requires victims to perform three socially-driven activities to obtain the decryption key. These activities can include donating new clothes to the homeless, taking less fortunate children to a fast-food restaurant for a treat, and providing financial assistance to anyone who needs urgent medical attention but cannot afford it. Victims are required to document and share their acts of kindness on social media in order to receive the decryption key.

Decryption

Once the victims have completed the required activities and shared them on social media, the GoodWill ransomware operators provide them with the decryption key to recover their files

Do not comply with the ransom demand! Although this seems a “Robin Hood” of real life, the GoodWill group still is a criminal hacker group. Therefore, contact local authorities and a ransomware removal service to restore your files and remove any potential threat.

How to handle a GoodWill ransomware attack

The first step to recovering from a GoodWill attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

What NOT to do after a ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent GoodWill ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

Prevent the GoodWill ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. GoodWill ransomware can cost your business’s future and even close its doors.

By taking these proactive measures, individuals and organizations can reduce the risk of a GoodWill ransomware attack and protect their data from being encrypted and held for ransom.

These are a few tips to ensure you can avoid ransomware attacks:

• Educate employees on cybersecurity and phishing awareness to help them recognize and avoid phishing attempts.
• Implement security measures, such as firewalls, antivirus software, and intrusion detection systems, to detect and block malicious traffic.
• Stay vigilant and monitor network activity for any signs of suspicious behavior.
• Keep software up to date with the latest security patches to prevent ransomware from exploiting unpatched vulnerabilities.
• Implement strong access controls, such as multi-factor authentication and regular credential monitoring, to prevent ransomware operators from gaining access to systems using stolen or weak credentials.
• Secure unmanaged devices and BYOD policies by implementing security measures such as device encryption and remote wipe capabilities.
• Regularly scan and patch internet-facing applications to prevent ransomware operators from exploiting vulnerabilities.