Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.
The attack starts with emails designed to mimic job applications, which contain not only a brief message from the alleged applicant, but also two attachments that ultimately lead to ransomware. According to Check Point researchers, the campaign targets HR departments because people working there usually cannot avoid opening emails and attachments from strangers.
Spam emails have long been used as a major infection vector for different malware types, and it’s no surprise that cybercriminals continue to use this attack method. The newly observed campaign is distributing the GoldenEye ransomware family, which is the offspring of Petya and Mischa, a malware duo that emerged in the spring of 2016.
The campaign, Check Point researchers reveal, targets German speakers and features a cover letter in a non-malicious PDF as attachment, meant to trick the potential victim into believing that the email might be legitimate. However, there is a second attachment that features malicious intent: a macro-enabled Excel file.
The victim is lured into enabling the macro and, as soon as that happens, the code inside the macro initiates the file-encryption process, ultimately denying the user access to their files. Next, the ransomware appends a random 8-character extension to each encrypted file, drops a ransom note, and then forces a reboot to encrypt the disk.
“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants,” Check Point security researchers explain. A boot-level ransom note is displayed after that.
Petya would force the reboot to start encrypting the hard disk’s Master Boot Record (MBR), after which it would display the boot-level ransom note as well. The difference between the two is that Petya didn’t encrypt user files as well (Mischa did that, but only if Petya failed to encrypt the MBR), and that GoldenEye uses a yellow colored ransom note instead of a red or green one.
Victims are directed to a Dark Web portal where they can enter a “personal decryption code” to pay the ransom. A support page is available on the site, allowing victims to send messages to the malware operators should they encounter issues with the payment or decryption process.
GoldenEye usually demands a 1.3 Bitcoins (BTC) ransom, but researchers have observed slight variations (ranging from 1.33 to 1.39 BTC). “We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation,” the security researchers say.