Talion is a finalist for Best SIEM Solution for the 4th year in a row

Talion is a finalist for Best SIEM Solution for the 4th year in a row

GoodWill Ransomware Forces Kindness – Is It Ethical? - Talion

Ransomware gangs are known for infiltrating organisations, violating data laws and rattling employees into the submission of ransom payments.

But what if ransomware was a cause for greater good?

This raises an interesting moral debate where the ethical motives of ransomware attacks remain blurred.

We’ve taken a look at GoodWill Ransomware – the most recent act of hacktivism – and its unusual demands in exchange for a decryption key.

Hacktivism Takes A Stand

Hacktivism is nothing new – over the years, we’ve seen many victims of hacking-related attacks as a means of promoting a political or social agenda.

The recent Russia-Ukraine conflict, for example, has been a minefield for hacktivists, who have used cyber skills to take sides or release key information and news. A Polish Hacktivist movement, Squad303, developed a tool that allowed anyone to send messages to Russian cell phones to “alert them to the reality of the conflict”.

It is confusing, most of all, that these types of attack take place – how can a threat group work for the greater good when they are contradicting that good with their initial infiltration? 

GoodWill Ransomware Demands Social Intervention

Cybersecurity researchers have discovered GoodWill Ransomware – a new ransomware strain that isn’t fuelled by your typical extort-for-money threat actors. Identified initially by an India-based cybersecurity firm in March 2022, the infections block access to sensitive files using the AES encryption algorithm, before asking victims for very unusual demands in exchange of returning the encrypted documents.

In order to obtain the decryption key, victims are asked to show kindness to those suffering around them by financially assisting those in need, such as giving clothes to the homeless and offering poor children a meal from well-known fast-food brands.

The following activities were detailed specifically as followed by GoodWill:


Once all three activities are completed to GoodWill’s specifications, including photo/video proof and a social media post stating ‘How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill’, then the victims are given the decryption kit.

On completion, the victim is even given a photo frame:


There is currently no known victims or targets for the GoodWill ransomware group, so their techniques or future intentions remain unknown. However, analysis of researchers has shown that the email address and network artifacts connect to operators from India who speak Hindi.

There has also been identification of significant overlaps with another Windows-based strain called HiddenTear – the first ransomware to have been open-sourced as a proof-of-concept in 2015 by a Turkish programmer.

Can Ransomware Ever Be Ethical?

We can safely say that ransomware is seen as inherently bad by almost all people, what with the illegal infiltration of company data and systems, as well as blackmailing victims into paying up enormous ransom fees. However, when it comes to ransomware groups like GoodWill and their intention for victims to help those less fortunate than them, where do you draw the line? Could this be a necessary evil to address the societal issues we have surrounding fortune and justice?

Although no victims of GoodWill ransomware have been identified as of yet, there is the question of whether the targets will be sought out with purposeful intent. If the goal of GoodWill is to encourage kindness to those less fortunate, will they be seeking out individuals based in regions with more significant wealth disparity between rich and poor? Will they assess the wealth of the individual or business before infiltrating their data, to ensure they aren’t accidentally targeting the poor they claim they want to help? The screening process is unclear, or perhaps not thought-out enough.

The goodness of kind deeds often lies in the initiative and feeling of the individual who chooses to do it, and so GoodWill ransomware is hardly moral in their attempt to push their motivations onto others in alignment with their own narrow view. Surely there is a more ethical way to plead the case of social justice, and we see this everyday in the form of charities, protests and more.



Whilst hacktivism is an interesting source of debate in terms of the boundaries of morality, it is a prime cause of concern when victims are blackmailed into taking action on behalf of a larger threat group, especially when an unknown source has the capability to dictate their worldview and ideology onto innocent civilians.

With no current victims of Goodwill ransomware identified, it is currently posing no threat, but it is important for organisations and individuals to be aware of the techniques cyber attackers are capable of using. Their supposed “goodness” can be used to manipulate victims’ state of mind, and this is arguably the most detrimental form of attack, since victims are unhinged from their usual logic.

For more information on the pressing effects of ransomware, read our blog “Ransomware Costs: Beyond The Cash” or discover our #RansomAware campaign.

Feel free to reach out to us for complimentary advice on mitigating cyber-attacks here.


Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.