A version of the Petya ransomware (which has been dubbed as “GoldenEye”) is targeting human resources (HR) departments with counterfeit job applications that are infected with malware.
GoldenEye has been around for a while, but security firm Check Point notes that it has recently turned its attention to HR staffers that – as part of their job –frequently open emails from unknown senders.
The campaign, which has targeted HR employees in Germany, tricks recipients with a legitimate looking job application. There are two files attached to the email: a PDF containing a cover letter that has no malware attached which serves to lull the victim into a false sense of security, and an Excel file with malicious macros unbeknown to the receiver.
The latter contains a picture of a flower with “Loading…” text underneath, and a text in German asking the victim to enable content to allow the macros to run.
“When a user clicks “Enable Content”, the code inside the macro executes and initiates the process of encrypting the files, denying the victim access to his or her files,” says Check Point.
“GoldenEye then appends a random 8-character extension to each encrypted file. After all the files are encrypted, GoldenEye presents the ransom note: “YOUR_FILES_ARE_ENCRYPTED.TXT” After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk. This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants.”
Users are then shown a ransom note – the same as in previous Petya campaigns but with a new, gold colour scheme. The victim is presented with a “personal decryption code”, which can be entered into a Dark Web portal in order to pay the ransom.
GoldenEye’s current ransom begins at 1.3 BitCoins (BTC) –a total of approximately $1,000 (around £810).