A new Robin Hood-like ransomware strain has been discovered that demands that victims carry out good deeds before receiving a decryptor to restore files rendered inaccessible.

Dubbed “GoodWill,” the ransomware is written in .NET and packed with UPX packers, according to CloudSek researchers, who discovered the new strain in March 2022. The ransomware leverages the AES_Encrypt function to encrypt files, using the AES algorithm.

While analyzing the GoodWill malware the researchers found overlaps with HiddenTear, an open-source ransomware developed by a Turkish programmer available on GitHub.

Once infected, the GoodWill ransomware encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key. In order to receive the decryption tool victims are asked to perform three socially driven activities, which include giving blanket donations to the homeless, taking five poor children Dominos, Pizza Hut or KFC for a treat, and providing hospital patients financial assistance for treatments that should then be documented on social media in form of pictures or videos.

“Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on 'How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill,” the company said.

CloudSek researchers were able to trace the email address, provided by the ransomware group, back to an Indian based IT security solutions and services company, that provides end-to-end managed security services.

“Since there are no known victims/ targets for the ransomware group, their Tactics, Techniques and Procedures remain unknown,” the researchers noted.