{
	"id": "6a0f2419-2054-49a8-aea1-d22c58bfb08c",
	"created_at": "2026-04-06T00:22:16.402827Z",
	"updated_at": "2026-04-10T03:21:01.049294Z",
	"deleted_at": null,
	"sha1_hash": "bddcd85e23a9416d91ac124c3e57764d0c892072",
	"title": "Robin Hood Ransomware ‘GOODWILL’ Forces Victim for Charity - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1321287,
	"plain_text": "Robin Hood Ransomware ‘GOODWILL’ Forces Victim for\r\nCharity - Home\r\nBy Tejaswini Sandapolla\r\nPublished: 2022-06-13 · Archived: 2026-04-05 21:39:36 UTC\r\nGoodwill Ransomware, identified by CloudSEK researchers in March 2022, is known to promote social justice on\r\nthe internet. It is known to encrypt documents, databases, videos, or photos after it infects the whole system. The\r\nfiles become inaccessible for the victims, where Robinhood’ Goodwill’ asks the victim to donate for socially\r\ndriven activities to get their files back. For example: ‘Goodwill Ransomware forces victims to donate new clothes\r\nto the homeless, provide financial assistance to the poor, and many more. They then ask victims to post it online.  \r\nHowever, a few more ransomware have other motives to force victims to do some act to retrieve their infected\r\nfiles. Quick heal published a blog about Sarbloh Ransomware related to the Farmer Protests and was not\r\ndemanding any ransom. Similarly, Goodwill ransomware acts as a Robin Hood and forces victims to help the\r\npoor. Let us look into more detail about this ransomware and how the attacker gets hold of the files in the system. \r\nTechnical Analysis \r\nLet us analyse the hash (MD5: cea1cb418a313bdc8e67dbd6b9ea05ad). This is a .NET Compiled file. This\r\nexecutable is packed with Fody; hence we can see only the main routine.\r\nWe can also observe references to Costura. \r\nFig 1: Costura References \r\nThis Costura is a plugin for Fody that allows the developers to embed all the dependencies in the form of\r\nresources packed inside the final dotNET executable.  \r\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 1 of 6\n\nFig2: Plugin \r\nIt can be seen in the above image how the embedded dependencies are fetched and unpacked. \r\nUpon execution it connects to URL hxxp[:]//9855-13-235-50-147.ngrok[.]io/alertmsg[.]zip and downloads\r\nalertmsg.zip file into location: C:\\Users\\Public\\Windows\\Ui \r\nAll the content related to Ransom notes and encryption information is in the zip file. This executable coordinates\r\nwith the contents of the zip. It encrypts the files with the extension “.gdwill.” \r\n To recover the files, 3 activities need to be performed as shown below: \r\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 2 of 6\n\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 3 of 6\n\nFig 3:  Ransom note \r\nAfter completing all the given activities, the details must be sent to the email in the below format: \r\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 4 of 6\n\nFig 4: Email Format \r\nThe ransomware attackers ask the victims to provide convincing evidence for the activities to prove it done. After\r\nwhich, the person orchestrating this threat will provide a decryption tool to recover the stolen files. Let us look at\r\nhow the threat actors hack and encrypt the files via the given below snapshot. \r\nFig 6: Encryption \r\nEncryption Process\r\n 1.GeneratePassword: A password is randomly generated and then base64 encoded. The SHA256 of this base64\r\nencoded data which later forms the key for encryption (AES) \r\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 5 of 6\n\n2. GenerateSystemId: SystemID of the victim’s machine is obtained \r\n3. CheckConnection: Pings google.com and checks if the internet is working \r\n4. MakeConnection: Uploads the password and SystemID to the server along with location and IP \r\n5.RetrieveFiles: AES Encryption is done on files with extension with a key generated in Step1\r\n.pptx,.docx,.xlsx,.txt,.pdf,.500,.jpeg,.jpg,.png \r\n6. AlertingUser: Launches index.html(containing ransom note) via launch.bat present in the alertmsg.zip \r\nFig 7: Batch file for alert \r\nThis malware also sleeps for a few seconds to bypass the analysis. \r\nAt last, it was found that this ransomware was derived from an Open-source Jasmin Encryptor, which can be\r\nfound on https://github.com/codesiddhant/Jasmin-Ransomware. \r\nHow do we prevent such kinds of attacks? \r\nTo keep ourselves secure from such attacks, follow the great saying  “Prevention is better than Cure”! The\r\ninfection vector is usually in the form of mails, so do not open attachments from an untrusted sender. Do not\r\nenable macros in the Doc received mainly from correspondences. Avoid clicking on unverified links and those in\r\nspam emails. Keep your software and antivirus updated. Always remember to back up your data so that you can\r\nrecover it even in case of a ransomware attack. \r\n Conclusion\r\nIn the content above, we have looked into how Goodwill Ransom is related to Open-source Jasmin. It has\r\nmodified the open-source for, e.g., In Jasmin, files are encrypted with the “.jasmin” extension, whereas GoodWill\r\nfiles are encrypted with “.gdwill.” In Jasmin, hosted points to localhost, whereas Goodwill points to external C2.\r\nThis ransomware was unique because of its charitable nature instead of demanding money. The strings present in\r\nthe file, such as “Error h bhaiyya,” seems that the routes of this hack were generated in India.  \r\n Indicators of compromise (IOC) \r\ncea1cb418a313bdc8e67dbd6b9ea05ad \r\n QuickHeal Protection \r\nTrojan.YakbeexMSIL.ZZ4 \r\nSource: https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomw\r\nare-and-how-it-affects-its-victims/\r\nhttps://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/"
	],
	"report_names": [
		"a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434936,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bddcd85e23a9416d91ac124c3e57764d0c892072.pdf",
		"text": "https://archive.orkl.eu/bddcd85e23a9416d91ac124c3e57764d0c892072.txt",
		"img": "https://archive.orkl.eu/bddcd85e23a9416d91ac124c3e57764d0c892072.jpg"
	}
}