Resume Ransomware: GoldenEye targets hiring managers, recruiters and HR

People charged with filling career positions at their companies need to be on the lookout for ransomware—especially GoldenEye ransomware.

GoldenEye is a new form ransomware written by the same cybercriminal who gave us the Petya and Mischa ransomware attacks. The author has applied some of the same distribution tactics that Petya and Mischa are known for by masking the ransomware as a job application. GoldenEye attacks typically begin with an email that appears to be from someone interested in a position. The inboxes of human resource personnel and hiring managers are often swamped with emails from potential candidates. As a result, very little time may be spent reviewing each email. Instead, recruiters and HR managers open the attachments and quickly screen resumes or cover letters to determine if the applicant is qualified for the position. GoldenEye takes advantage of this behavior. GoldenEye is currently targeting potential victims in German-speaking countries, but that could change at any moment.

GoldenEye emails include two attachments; a PDF cover letter and an Excel spreadsheet with a file name that includes the phony applicant’s last name, a dash and the word “application” in German. The cover letter looks entirely legitimate. The cover letter has an introductory statement, photograph and then states that the Excel file contains references and results from an aptitude test. The PDF attachment does not include any malicious code but the presence of a well-written cover letter aids in convincing the victim to open the second attachment, an Excel file.

The Excel file contains the ransomware as a macro. The file displays a flower logo that appears to be loading something. Microsoft Office blocks the macro unless macros have been enabled by the victim. Victims are enticed to enable the macros so that the loading screen will disappear to display the resume content. However, once enabled by the victim, the macro will save code into an executable file in the victim’s temp directory and then launch the ransomware. The program encrypts files and displays a ransom message. However, after the initial ransom message is displayed, GoldenEye restarts the machine and encrypts the Master File Table (MFT) and replaces it with a custom boot loader that shows the ransom message upon computer startup.

GoldenEye essentially performs the file encryption activities of Mischa and then restarts to perform the MFG encryption activity of Petya. Both encryption methods have been improved, and decryption methods for Petya and Mischa will not work on GoldenEye.

GoldenEye’s ransom message instructs victims go to a URL on the dark web to obtain their decryption key. Victims will need the decryption code presented in the ransom message to pay the ransom.

Be careful when opening any attachments from an unknown person and ensure you have a backup of critical files so that GoldenEye does not claim a ransom from you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Interviewing Tips from Microsoft

In a 2008 blog entry by Steve Clayton at Microsoft, he mentions the five things he looks for in candidates when hiring.  This information is useful for both job candidates and those looking for qualified people.  Here are his five tips:
  1. Hire for diversity, not consistency – I wanted people in my team as diverse as I could. Having twenty brilliant but unmanageable tech wizards in the team don’t work. Balancing out the wizards with the delivery guys worked out well.
  2. Hire Delivery Guys (and girls) – I don’t mean postal workers. I mean make sure you have folks who simply deliver – again and again, on time and with minimum fuss. When the chips are down, they come to the fore, and your wizards take a back seat. As a side note, figure out what makes these people happy and reward them well. They’re gold.
  3. Hire Wizards – in my experience everyone great team has one (or more) who are just brilliant minds. They’re the creative ideas people who differentiate you from the average team. They’re often a nightmare to manage, but they’re worth it. How do you know a wizard? They’re curious
  4. Hire Curious People – by this I mean people who have a natural curiosity. Stephen’s mentions this in his interview with Bill Taylor, and it struck a chord with me. These are the people who ask questions. Constantly. They may not ask questions out loud, but they will question things and often go away and explore to find the answer for themselves. They may never need the information or us it – but one day they may. Trust me this is a very valuable skill. These people become information hubs, and you hear their names again and again in the company as they’re “go to” people. I learnt some of this from my Granddad…but that’s a story for another day.
  5. Hire Passionate Readers – this doesn’t mean hire people who read Mills and Boon. It’s similar to curious people but worth calling out separately. A friend (who is a wizard and curious) taught me this interview question when I joined Microsoft. Ask someone what magazine they regularly read. Let’s say they answer with WIRED. Then ask them how many back issues they have in their loft. It’s not a deal breaker question, but my guess is if you’re reading this you know what I mean. People who are passionate about stuff read about it. A LOT. Okay so they may read online now, and this question may be dated but try it anyway. They may say “ah I just auctioned off my 8-year collection of National Geographic on eBay.” That’s a hire.

For interviewing help go to http://interviewexcellence.org