German HR departments are being targeted in effort to spread ransomware

News by Roi Perez

GoldenEye, the latest strain of ransomware variant Petya, is being used in attacks which are asking users to enable macros, according to research from Check Point Software Technologies.

According to Check Point Software Technologies, German HR departments are being targeted by criminals posing as job applicants in a bid to infect company machines with GoldenEye, the latest strain of variant Petya.

When contacting HR professionals, the criminals send two files: one is a cover letter designed to assure the person opening it that the application is real and legitimate, the other is an excel spreadsheet which contains the ransomware payload, a variant of Petya which Check Point researchers named GoldenEye.

The person viewing the Excel spreadsheet sees a picture of a flower with the word “Loading…” underneath, and text in German asking the victim to enable ‘content' with instructions on how to enable macros which allows the ransomware to begin encrypting files.

A fake loading screen shows up, allowing GoldenEye time to encrypt. Once completed it asks for 1.3 Bitcoins in return for the decryption key.

CheckPoint explained: “GoldenEye forces a reboot and starts encrypting the disk. This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake ‘chkdsk' screen, as in previous Petya variants.”

The developer behind Petya is a cyber-criminal who goes by the name of Janus. Up to October 2016, Janus ran the “Janus Cybercrime” website, where Petya was offered in combination with another ransomware, Mischa, as a ransomware-as-a-service.

Janus is also the name of the cyber-crime syndicate that was featured in the James Bond film GoldenEye, released in 1995.

Javvad Malik, security advocate at AlienVault, explains: “HR departments are used to receiving and opening office documents, and they are often connected to internal corporate systems, so it increases both the likelihood and the impact of any infection. This is a well-timed attack, given the New Year's resolutions of many kicking in, vowing to get a better job.”

Jim Hansen, vice president at AlienVault, adds: “The best possible thing you can do to prevent a ransomware infection is just to not use email or the internet. Since that is not likely to happen, you should establish continuous training to your users to minimise the likelihood that they will click on a malicious email attachment. Keep in mind that although you have control and visibility over your corporate email server, you don't necessarily have the same control and visibility over the myriad of personal email accounts that your users have.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews