Personnel departments targeted by GoldenEye ransomware hidden in job applications

Cover letter hides Excel file laden with GoldenEye malware.

A new version of the Petya Ransomware called GoldenEye is targeting personnel departments, companies are being inundated with fake job applications loaded with this malware.

Apparently GoldenEye has been around for a while, however Check Point who are a software security company are claiming the group have turned their attention to HR departments as on a regular basis they will open emails that have attachments from sources they do not know.

GoldenEye at the moment are focusing their attention on personnel departments in Germany, they are doing this by luring companies personnel employees with legitimate looking job applications.

They way in which they are doing this is by sending an email with 2 attachments, one attachment is a PDF file which contains a covering letter and has no malicious content, this in turn lures the user into a false sense of security. The second file is an excel file, this is the one that contains malicious macros unbeknown to the user working in the personnel department.

The second file contains a picture of a flower and the words “Loading…” underneath it, and some text in Germany asking the user to enable content so that the macros can run it, this on its own should set alarm bells ringing to the user not to proceed.

Check Point are explaining what happens if it doesn’t: ” When a user clicks “Enable Content”, the code inside the macro executes and initiates the process of encrypting the files, denying the victim access to his or her files.

“GoldenEye then appends a random eight-character extension to each encrypted file. After all the files are encrypted, GoldenEye presents the ransom note: “YOUR_FILES_ARE_ENCRYPTED.TXT”.

After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk.

“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake ‘chkdsk’ screen, as in previous Petya variants,” warns Check Point.

At this point the users are presented with a ransom note, it is the same as previous ones seen in other Petya attacks, but this one has a new gold colour scheme to it. The users are then presented with a “personal decryption code” which can be entered into a ‘dark web’ portal to pay the ransom.

The current ransom demanded by GoldenEye begins at 1.3 bitcoin, which works out at approximately $1,000 (around £810).

If you have any concerns on this, do not hesitate to give us a call on tel:- 01252 350 690 for some impartial advice.