Cybercriminals keep on finding new ways to boost their conversion rates and make a bigger profit at the end of the month. Now, cybersecurity researchers at Check Point tell us about GoldenEye ransomware, a variant of the Petya ransomware that is being used to target companies’ HR departments, as people in these departments regularly need to open files in emails from unknown sources.
Cybercriminals have launched a campaign in which they send companies’ HR departments an email posing as job applicants. The email itself contains a short message that directs victims towards two attachments. One of them is a cover letter in PDF format, without any malicious code in it. Reportedly, the goal of this cover letter is to make the victims feel like it’s a regular job application, giving them a false sense of security.
The other file contained in the email is an Excel file that, once opened, will claim to be loading while showing the target a picture of a flower. Text in German will ask the victim to enable content so macros can run. Once the victim concedes, code inside the macros initiates the encryption process.
GoldenEye appends a random 8-character extension to each one of the victims’ encrypted files, and after that it sends the user a ransom note named “YOUR_FIÇES_ARE_ENCRYPTED.TXT”. Then, GoldenEye forcefully reboots in order to encrypt the disk, making it impossible to access any files on the hard disk, according to Check Point. While the disk is being encrypted, a fake “chkdsk” screen is shown.
Finally, users are given a ransom note with a golden color scheme – instead of red or green, used in previous Petya campaigns. In order to give the victim his/her files back, a ransom of roughly 1.3 bitcoins is demanded. The note also tells victims how they can acquire bitcoin, and how they can access a deep web portal where they’ll be able to pay the ransom. At that portal, victims are also able to contact an admin if they’re being unable to follow the payment or the decryption process.
The authors behind Petya and GoldenEye
Cybercriminals, calling themselves Janus, are the minds behind Petya and GoldenEye, and don’t just make money by extorting their victims. Up until October 2016, Janus ran a website in which Petya, along with other types of ransomware, were for sale in what is known as Ransomware-as-a-Service (RaaS). Essentially, their ransomware is sold to users who aren’t able to create this type of software by themselves, creating a network of distributors. Whenever these users extort money from someone, Janus gets part of the profit.
Janus’ ransomware started off as a minor threat, as according to Malwarebytes Petya was avoidable at first because of a few bugs. Now, however, the bugs have been fixed, which means that, according to the cybersecurity company, the product doesn’t seem to be decryptable by external tools.
In order to stay safe, security companies advise users to be very careful regarding email attachments, as this is currently the main way of distribution GoldenEye has.
Posted by: Francisco