From the Labs: YARA Rule for Detecting GoodWill

ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules and help your organization to detect them within your environment.

GoodWill: Payment in the form of “kind” acts

Discovered by CloudSEK researchers in March of 2022, GoodWill is a unique form of ransomware that does not demand payment in the form of monetary value, in contrast with most other ransomware operations. Instead, it asks victims who have been infected with the malware to perform acts of kindness, giving it the “GoodWill” name.

Similar to other kinds of ransomware, GoodWill acts as a worm in a victim’s environment, encrypting documents, photos, videos, databases, and other crucial files. Once GoodWill infects the user’s environment, the victim cannot gain access to their files without GoodWill’s decryptor key. The threat actors behind GoodWill then leave detailed instructions for victims on how to obtain the decryption key from them.

Rather than demand that a typical cryptocurrency ransom be paid to the threat actor, victims are asked to perform three specific actions, record themselves doing it, and then post these recordings on social media to serve as proof. The actions include donating clothes, providing meals to less fortunate children, and providing financial assistance to those struggling to pay their medical bills.

In order to obtain the decryption key after performing these kind acts, victims then must post “a beautiful article” on Facebook or Instagram that shares the victim’s “wonderful experience” of transforming into a “kind human being by becoming a victim of a Ransomware called GoodWill,” as stated in the GoodWill ransom note.

There are still no known victims of the GoodWill ransomware, leaving a gap in what is known about the threat actor’s techniques. Researchers at CloudSEK were able to determine that the threat actor behind GoodWill is based in India.

Attacker Techniques

GoodWill, written in .NET, uses the AES encryption algorithm to carry out its attacks. GoodWill also sleeps for 722.45 seconds, allowing the malware to interfere with dynamic analysis. CloudSEK researchers believe that the GoodWill threat actors took inspiration from a similar Windows-based strain known as HiddenTear, which was the first of its kind to be open sourced as a proof-of-concept in 2015.

Detecting GoodWill

To protect your privacy, it is crucial to detect GoodWill infections before the threat actor has a chance to execute the malware.

ReversingLabs’ GoodWill YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.

Download the GoodWill YARA Rule from GitHub here:

ByteCode.MSIL.Ransomware.GoodWill.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware, or to schedule a demonstration.