Do goodwill ransomware gangs really exist?

Over the past few years, ransomware has been wreaking havoc across the world and it continues to be a prevalent threat for almost every industry. Ransomware attacks can lead to severe consequences for organizations and businesses such as financial losses, brand and reputation damage, employee layoffs or business closures.

In most ransomware attacks, ransomware operators encrypt data on a victim’s network and hold it hostage in exchange for a ransom, which may vary from hundreds to millions of dollars. If a company refuses to pay, hackers can leak or destroy files or sell access to the compromised network to third parties. However, ransomware operators sometimes resort to rather unconventional methods to get their victims to pay.

For example, in May 2016, a ransomware variant with a “philanthropic” twist was discovered that promised to donate the ransom to a children’s charity.

Another Robin Hood-like ransomware strain called “GoodWill” uses a more different approach compelling victims into performing good deeds instead of paying thousands of dollars for the decryption key. Like any other ransomware, GoodWill encrypts data on the compromised system, but rather than demand a ransom in cryptocurrency it forces the victim to help the less fortunate by donating clothes/blankets to the homeless, feeding poor children, and providing financial assistance to anyone who requires urgent medical attention (and share proof of this on social media).

On first glance, the GoodWill ransomware operators’ unusual approach may seem like a noble endeavor but demanding that people perform acts of kindness in order to restore their encrypted files is still an invasion of privacy, blackmail and manipulation.

In the past, some ransomware gangs tried to improve their image by using a “Robin Hood” approach. In 2020, DarkSide, a now-defunct ransomware group behind multiple high-profile attacks, including the 2021 Colonial Pipeline hack, donated part of the ransom demands that it had previously extorted from its victims to two charity organizations.

But despite the intent behind such seemingly “altruistic” efforts, the primary purpose of ransomware remains the same: to extort money from victims by blocking access to their own data.

As ransomware-as-a-service (RaaS) market is flourishing, ransomware actors are constantly evolving their tactics and attack methodology to maximize the impact of a successful attack. According to a recent survey, 83% of successful ransomware attacks now include threats of double and triple extortion to ransom demands.

Double extortion is a tactic where cybercriminals not only steal an organization’s data but also threaten to publish it if the ransom is not paid. Under triple extortion, threat actors demand payment from those who may be impacted by the

leaking of the compromised organization’s data. Triple extortion can also include additional attacks carried out against the original target if the company doesn’t comply.

The survey found that of companies hit with ransomware 38% experienced attacks threatening to extort customers with stolen customer data, 35% of attacks threatened to expose data on the dark web, and 32% threatened to inform customers that data was stolen.

In addition, 16% of the organizations that refused to pay the ransom had their data exposed on the dark web, and 18% of victims who paid the ransom still had their data leaked. Of those organizations that paid ransomware operators, 35% were not able to retrieve their data.

Worse, given the division of labor and collaboration between different gangs on the global cybercrime market, the gang behind the ransomware attack is usually not the only one with access to the stolen data. Thus, by accepting a payment from the victim, they have no factual means to guarantee that their accomplices won’t suddenly leak the data for fun or for profit.

Furthermore, a majority (72%) of organizations surveyed admitted that ransomware attacks are evolving faster than the security controls needed to protect against them. It is predicted that ransomware will cost its victims over $265 billion annually by 2031, with a new attack hitting consumers or businesses every 2 seconds.

With each year, ransomware attacks become more and more sophisticated. Ransomware can hit any individual or industry, and no business or organization is off-limits. According to some reports, the number of ransomware attacks increased by 100% in 2021 alone. Furthermore, globally, the average cost of a ransomware breach hit a record $4.62 million (and this figure didn’t even include the ransom payment).

A threat as profitable as ransomware isn’t going away anytime soon, not least thanks to the influx of ransomware-as-a-service programs that require no extensive knowledge about breaking into computer networks but allow to make a fast buck.

Hacking campaigns, such as ransomware, can be easily deployed via ransomware-as-a-service now widely offered by professional cyber gangs to beginners. Concomitant proliferation of cryptocurrencies makes such crimes technically uninvestigable, while law enforcement agencies and joint task forces are already overburdened with nation-state attacks and transnational targeted attacks aimed to steal intellectual property from the largest Western companies.

Therefore, organizations must implement proactive protection rules to minimize the risk of this threat. These involve developing a backup and recovery plan; keeping the operating system and software up-to-date with the latest patches; maintaining up-to-date anti-virus solutions; scanning all software downloaded from the internet prior to executing; using caution when opening emails; ensuring control over the connection of external devices, blocking unused ports on protected hosts to prevent unauthorized access; as well as educating organization’s employees on safety issues.

Ekaterina Khrustaleva

Ekaterina Khrustaleva, Chief Operating Officer, ImmuniWeb

Ekaterina Khrustaleva holds a Bachelor degree in Accounting and Finance. She accomplished executive programs in cybersecurity at Harvard University, on blockchain at Oxford University and organizational leadership at IMD in Lausanne and started her career in private banking, where she was inspired by the emerging cybersecurity market.

Ekaterina started her cybersecurity career in 2010 as a sales executive. In 2013, after several promotions for performance and highly creative sales tactics, Ekaterina became Chief Operating Officer of a leading penetration testing company High-Tech Bridge in Geneva.

Today, Ekaterina manages ImmuniWeb’s global sales operations. Speaking five languages, she is also in charge of global partnerships and strategic alliances at ImmuniWeb. Ekaterina is a member of several private clubs gathering the most successful business leaders, executives and entrepreneurs. She is also a member of ISACA and a Certified Data Privacy Solutions Engineer (CDPSE).

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...