If there’s a story with a moral we understand without the need for explanation, it’s the legend of Robin Hood, the outlaw who stole from the rich to help the poor.
Pointing out that Robin Hood never existed would be to miss the point—the need for a figure who rights the world’s injustices is a satisfying fable with timeless appeal.
This appeal goes some way to explaining the strange news that researchers in India have discovered a new strain of hacktivist ransomware that asks victims to prove they have performed three good deeds in return for a decryption key.
Spreading since March and named ‘Goodwill’ after a phrase used in the ransom message, this apparent do-gooding outlook represents a bizarre first for ransomware. Here’s the list of task it sets victims, as described by Indian security company CloudSEK:
“Activity 1: Donate new clothes to the homeless, record the action, and post it on social media.
Activity 2: Take five less fortunate children to Dominos, Pizza Hut, or KFC for a treat, take pictures and videos, and post them on social media.
Activity 3: Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.”
From these requests, it’s clear that Goodwill is probably more of an attention-grabbing publicity stunt than a serious Robin Hood ransomware campaign, although it’s worth pointing out that it would not be fun to be infected by it.
So why write about it, thereby giving it even more attention?
Two reasons. First, the observation that cyberattacks-with-a-cause seem to have increased recently after a relative lull, especially around the Ukraine conflict.
The second is the codebase on which Goodwill seems to be partly based. It’s the controversial Turkish HiddenTear open source ransomware kit released on GitHub as an “educational” proof-of-concept in 2015.
What has limited hacktivism is the difficulty of pulling off more sophisticated attacks, i.e. those that don’t rely on Distributed Denial-of-Service (DDoS) nuisance attacks or crude web defacement. In theory, open source kits might tilt that balance—and sure enough, this particular kit has generated a series of ransomware examples, of which this is only the latest.
None have proved terribly significant, and there’s now a brute force tool available to retrieve the symmetric AES keys used for encryption/decryption.
You might conclude from this that open source ransomware isn’t a big deal, and so far you’d be correct. However, this might not always be so.
In March, a group called itself the Belarusian Cyber Partisans said it had attacked the country’s state railways with ransomware, providing evidence of a compromise without confirming the strain used.
In the same month, someone leaked the source code for the Conti ransomware, one of the biggest brands in the whole industry.
Goodwill is an example of how motive and technical capability are lining up in a way that hasn’t been the case in the past. Where this ends up is anyone’s guess. It might lead to a world of Goodwill-like pranks. But it could equally turn into something much more destructive. If that happens, it could happen very quickly, handing negative power to a sector that won’t be bought off so easily with insurance-backed ransoms.