Personnel departments targeted by GoldenEye ransomware hidden in job applications

Cover letter hides Excel file laden with GoldenEye malware

Personnel departments are being targeted by GoldenEye, a version of the Petya ransomware, in a new-year campaign flooding companies with fake job applications laden with malware.

GoldenEye has been around for some time, but security software company Check Point claims that the gang behind it have turned their attention to human resources departments, which will routinely open emails bearing attachments from unknown sources.

The campaign, which at the moment is targeting personnel departments in Germany, lures victims in with a legitimate looking job application.

There are two files attached to the email: a PDF containing a cover letter, which has no malicious content. Its primary purpose is to lull the victim into a false sense of security. Alongside this is an Excel file with malicious macros unbeknown to the receiver.

The latter contains a picture of a flower with the word "Loading…" underneath, and a text in German asking the victim to enable content so that the macros can run. That alone ought to set alarm bells ringing.

Check Point explains what happens if it doesn't: "When a user When a user clicks "Enable Content", the code inside the macro executes and initiates the process of encrypting the files, denying the victim access to his or her files.

"GoldenEye then appends a random eight-character extension to each encrypted file. After all the files are encrypted, GoldenEye presents the ransom note: "YOUR_FILES_ARE_ENCRYPTED.TXT".

After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk.

"This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake 'chkdsk' screen, as in previous Petya variants," warns Check Point.

From here, users are presented with a ransom note - the same seen in previous Petya campaigns, but with a new gold colour scheme. The victim is presented with a "personal decryption code", which can be entered into a 'dark web' portal in order to pay the ransom.

The current ransom demanded by GoldenEye begins at 1.3 bitcoin, which works out at approximately $1,000 (around £810).