Petya ransomware variant GoldenEye targets HR departments by sending fake job applications

Cybercriminals have become increasingly skilled at modifying and customising malware in efforts to ensure that targeted victims are reeled in successfully by a malicious campaign. Ransomware authors in particular are now increasingly developing ransomware strains designed to target a specific victim pool. A new variant of the prolific Petya ransomware has been spotted, specifically targeting HR departments, by sending in fake job applications.

The applications are designed to look legitimate and come with a malware-laced attachment, which when opened, infects the victim's system and encrypts all data. The applications are sent via email and include two attachments: one which poses as a cover letter and acts as a lure to victims and the other, an Excel file that contains malicious macros.

According to Check Point security researchers, GoldenEye ransomware targets firms' HR "due to the fact they usually cannot avoid opening emails and attachments from strangers, a common malware infection method".

Researchers uncovered that the malicious Excel file contains an image of a flower with the word "Loading..." and text underneath, requesting victims to enable content for the macros to run. However, when victims click on the "enable content", the latent malicious code begins encrypting files and locks the victims out from accessing content.

The ransomware then displays a message announcing that all files have been encrypted and proceeds to display the ransom note. Once the ransom note is showcased, GoldenEye initiates a forced reboot and begins encrypting the disk, making it "impossible to access" any of the files on the hard disk.

Researchers noted that the ransomware is currently targeting German-speaking victims. GoldenEye is demanding a ransom of 1.3 bitcoins, which amounts to around $1,000, from its victims. As is usual, the ransom note details how victims can make payments and offers the option of communicating with the cybercriminals behind the ransomware in case the victims face issues with either the payment or the decryption process.

Check Point researchers said: "The developer behind Petya is a cyber-criminal who goes by the name of Janus. Up to October 2016, Janus ran the 'Janus Cybercrime' website, where Petya was offered in combination with another ransomware, Mischa, as a Ransomware-as-a-Service.

"If the Bewerbung campaign (named for the German word for application) sounds familiar, it is probably because it was used in the past by the Cerber ransomware . As both Petya/GoldenEye and Cerber act as ransomware as-a-service (RaaS), it is very likely that there is one threat actor leveraging the German CV campaign to send both malware types to his/her victims."