People charged with filling career positions at their companies need to be on the lookout for ransomware, especially GoldenEye ransomware.
GoldenEye is a new form ransomware written by the same cybercriminal who gave us the Petya and Mischa ransomware attacks. The author has applied some of the same distribution tactics that Petya and Mischa are known for by masking the ransomware as a job application.
The GoldenEye Attack
GoldenEye attacks typically begin with an email that appears to be from someone interested in a position. The inboxes of human resource personnel and hiring managers are often swamped with emails from potential candidates. As a result, very little time may be spent reviewing each email. Instead, recruiters and HR managers open the attachments and quickly screen resumes or cover letters to determine if the applicant is qualified for the position. GoldenEye takes advantage of this behavior.
GoldenEye emails include two attachments; a PDF cover letter and an Excel spreadsheet with a file name that includes the phony applicant’s last name, a dash and the word “application” in German. The cover letter looks entirely legitimate. The cover letter has an introductory statement, photograph and then states that the Excel file contains references and results from an aptitude test. The PDF attachment does not include any malicious code but the presence of a well-written cover letter aids in convincing the victim to open the second attachment, an Excel file.
The Excel file contains the ransomware as a macro. The file displays a flower logo that appears to be loading something. Microsoft Office blocks the macro unless macros have been enabled by the victim. Victims are enticed to enable the macros so that the loading screen will disappear to display the resume content. However, once enabled by the victim, the macro will save code into an executable file in the victim’s temp directory and then launch the ransomware. The program encrypts files and displays a ransom message. However, after the initial ransom message is displayed, GoldenEye restarts the machine and encrypts the Master File Table (MFT) and replaces it with a custom bootloader that shows the ransom message upon computer startup.
GoldenEye essentially performs the file encryption activities of Mischa and then restarts to perform the MFG encryption activity of Petya. Both encryption methods have been improved, and decryption methods for Petya and Mischa will not work on GoldenEye.
GoldenEye’s ransom message instructs victims to go to a URL on the dark web to obtain their decryption key. Victims will need the decryption code presented in the ransom message to pay the ransom.
Be careful when opening any attachments from an unknown person and ensure you have a backup of critical files so that GoldenEye does not claim a ransom from you. GoldenEye is currently targeting potential victims in German-speaking countries, but that could change at any moment.