James Bond, the fictional spy, has met his match when it comes to deception. A new ransomware named after one of the Bond movies, GoldenEye infects work computers by posing as a job application.
According to cybersecurity researchers, the GoldenEye ransomware is a variant of previously known Petya ransomware. The ransomware targets the HR departments of the companies as they receive hundreds if not thousands of emails from unknown people applying for job positions. A well-crafted mail delivers the GoldenEye payload along with an innocent looking cover letter.
Then follow us on Google News!
The cover letter in PDF format directs the HR executive to another attachment which is a Microsoft Excel file containing the actual GoldenEye ransomware. Once the user opens the XLS file, they will be requested to enable content which will run macros, activating the ransomware.
The ransomware encrypts all files on the infected computer and appends them with an 8-letter extension before forcefully restarting the machine. While the computer is rebooting, GoldenEye will complete the encryption process. Meanwhile, a fake “chkdsk” screen will visible to the user, without giving a hint about what’s happening behind.
Once the machine restarts, the user will receive a ransom note demanding 1.3 BTC payment to retrieve their files. The ransom note also includes detailed instructions on how and where to purchase the bitcoin. In order to pay the ransom, the user has to visit a deep web portal and make a transfer, instructions for which will be included in the ransom note.
One of the online news portals reports that Janus – the creators of Petya and GoldenEye ransomware have been selling them on the internet. The ransomware as a service allowed people to buy a copy of ransomware and distribute it. The Janus received a portion of all the profits made by those who bought the ransomware from them, turning it into a lucrative business.
As always it is advisable to follow good practices and not open attachments from unknown sources. In the case of a suspicious resume, in any format other than PDF or MS Word, the user shouldn’t open it. Instead, they can reply asking for the resume to be sent in a particular format.
Ref: DeepDotWeb | Image: NewsBTC