It seems that cyber criminals are constantly modifying and improving the tactics they use to achieve their objectives.
One notable area that these efforts are being directed towards is ransomware. Ransomware has been a constant threat to computer users and businesses alike since the development of the internet.
Cybersecurity experts recently brought to light a new malware that categorically aims at the Human Resource departments of unsuspecting organizations.
According to internet security researchers at Check Point, this strategy utilizes a ransomware referred to as “GoldenEye,” which poses as a job application.
The ransomware is actually a new and improved version of the infamous Petya virus. The Petya virus has previously been in the public limelight, but seemed to have disappeared for a short period – until now.
The researchers at Check Point noted that GoldenEye ransomware capitalized on the fact that Human Resource departments have a tendency of opening emails and corresponding attachments indiscriminately, one of the mavirin methods through which ransomware infections are spread.
According to the most recent information, this new strategy employs misleading emails with two attachments; a PDF attachment and an Excel file.
The PDF attachment does not contain the ransomware. It bears a cover letter that is intentionally placed there to lower the victims’ guard. The Excel file is the one containing the ransomware in the form of malicious macros obscured from the victim.
The spreadsheet-viewing application will display text prompting the victim to enable content, and once this tab is clicked, the code executes and begins the file encryption process.
The encryption is made possible by base64 strings that are incorporated into the ransomware.
They are activated immediately the content is enabled. The ransomware does this in order to gain access to the system as an administrator. At this point, it is able to manage the computer’s boot processes.
The users cannot access their files and are presented with a ransom note upon process
The ransomware then executes a forced reboot after which the Master File Table in the hard disk is encrypted.
The ransomware notes indicate that GoldenEye employs a complex military grade encryption protocol to encode the hard disk – it is suspected that it could be a combination of RSA and AES algorithms. Recently, the ransomware has seen mass distribution in Germany.
At the moment, GoldenEye ransomware is demanding a ransom of 1.3 BTC from the victims to restore access to the files.
The ransomware note has clear directions on how the victims can be able to regain access to their files. They have to purchase a decryption key at a dark web site provided by the racketeers.
The party behind this ransomware campaign is a group of cyber criminals called Janus. Janus is notorious for also doubling as ransomware distributers. They operated a website that sold Petya and other ransomware, an illegal activity commonly referred to as Ransomware-as-a-Service (RaaS), up until October of last year.
The victims have been advised not to pay the ransom and instead opt for recovery methods, noting that ransomware authors are known to rake in huge sums of money with limited reports of data being released.
Experts have forwarded several ways to tackle the GoldenEye problem including proactive prevention measures.
Data recovery methods have been recommended but only after the ransomware have been eradicated with an updated anti-malware tool. Security commenters are positive that as more users get informed, GoldenEye will eventually be terminated.