Goldeneye Ransomware Targets HR Departments
Tue 24 Jan 2017
A new form of ransomware has given 007 a run for his money, in the deception stakes. The ransomware in question, known as ‘Goldeneye’, is a variation of the Petya malware, which specifically targets the HR departments of businesses and corporations. HR departments are often inundated with hundreds, if not thousands, of unsolicited job applications; Goldeneye masquerades as one of these applications and even sports an authentic-looking covering letter. However, as with Bond movies – everything is not as it seems…
Goldeneye delivers a covering letter in PDF format, which directs the opener to a further Microsoft file. This XLS file requests that the user enables content. On doing so, the file then runs macros and activates the ransomware. Once activated, the Goldeneye ransomware encrypts all the files in the victim’s computer, using an eight-letter extension, before the machine is remotely restarted. During the restart process, the ransomware completes the encryption phase. At the same time, a false ‘chkdsk’ screen is activated, providing a smokescreen to camouflage what is actually happening.
A Lucrative Business
When the restart is complete, the victim receives a ransom notification, demanding a ransom of 1.3 Bitcoins – which equates to approximately £1,000 – if they want to retrieve their files. To ensure that they get what they want, hackers have included details of how and where to obtain Bitcoins. With the ransom in hand, the victim is then instructed to visit a portal on the Dark Web, where the transfer can be made, as per the instructions attached.
Goldeneye Highlights The Need for Good Practices
Cybersecurity experts have stated that “the developer behind Petya is a cyber-criminal who goes by the name of Janus. Up to October 2016, Janus ran the ‘Janus Cybercrime’ website, where Petya was offered in combination with another ransomware, Mischa, as a Ransomware-as-a-Service.” In effect, Janus has turned the sale of the Goldeneye ransomware into a lucrative money-spinner, pocketing a percentage of the sales of the malware itself.
As if it were needed, this once again highlights the need to follow good practices and not open attachments from unknown sources. In the case of a suspicious resume, in any format other than PDF or MS Word, the user shouldn’t open it. Instead, it is advisable to reply and ask for the resume to be sent in a specific format.
Comments are closed.