GoldenEye ransomware targets HR departments with fake job applications
Information security experts have uncovered a new ransomware campaign that specifically targets businesses’ HR departments.
The GoldenEye malware, analysed by researchers at Check Point, is spread using malicious emails designed to look like job applications, which are sent to organisations.
“The current campaign used to distribute GoldenEye has a job application theme,” they wrote in a blog post. “It is therefore aimed at companies’ human resources departments, due to the fact they usually cannot avoid opening emails and attachments from strangers.”
The messages, which target German-speaking businesses, contain two attachments: a non-malicious cover letter PDF to lull the victim into a false sense of security, and an Excel file containing macros that – when activated – begin the file encryption process.
Once it has displayed a ransom note, GoldenEye reboots the victim’s computer, encrypts the hard disk while displaying a fake chkdsk screen and shows a boot-level ransom note.
The victim is given a “personal decryption code” with a link to a Dark Web site that includes a support page where they can send questions to the cyber criminals behind the attack.
According to Check Point, GoldenEye currently demands around 1.3 Bitcoins from each of its victims – or about $1,000 (£812) – to restore access to their files.
“We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation,” it said.
Ransomware is a constant threat to businesses and consumers alike.
In December, cyber security experts uncovered a new type of ransomware called Popcorn Time, which gives users their files back for free if they can infect two of their friends.
“For enterprises, as well as the threat of Popcorn Time locking up corporate data, there is also a huge reputational risk if it emerges that employees are spreading it to others via their work email,” said Fraser Kyne, CTO for the EMEA region at Bromium. “This is clearly a board-level concern, so CISOs should be looking at what safeguards they can put in place to prevent it.”