January 05, 2017
A new campaign to distribute ransomware known as GoldenEye takes aim at HR departments via fake job applications. Here's how to keep your company safe.
A new ransomware campaign is infecting businesses by targeting a department that typically has to open email from strangers: Human resources.
Dubbed GoldenEye, a variant of Petya, the ransomware imitates a job application and currently targets German speakers, according to a Check Point report released Tuesday.
Here's how it works: An email appears in the HR representative's inbox with a brief message from the supposed applicant, and two attachments. "The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security," the Check Point report said. "The second attachment is an Excel file with malicious macros unbeknown to the receiver."
That second attachment includes a picture of a flower with the word "Loading..." underneath in English. It also includes a message in German asking the HR representative to enable the content.
When the HR representative clicks "Enable Content," the code begins encrypting their files, and the user is presented with a GoldenEye ransom note: "YOUR_FILES_ARE_ENCRYPTED.TXT."
"After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk," the report stated. "This action makes it impossible to access any files on the hard disk."
The ransomware presents its victim with a decryption code, which they can enter in a Dark Web portal to pay the ransom and unlock their files. Current ransom rates for GoldenEye begin at 1.3 bitcoins, or about $1,000.
Ransomware often targets victims via email attachments. HR departments are especially susceptible, Check Point noted, due to the number of messages and attachments from unfamiliar people they receive.
Check Point researchers found that the infected Excel files follow a pattern: They start with the name of a fake job candidate, and end with the German word for application, "bewerbung." A few examples include Wiebold-Bewerbung.xls, Meinel-Bewerbung.xls, and Schlosser-Bewerbung.xls.
A recent study from IBM Security found that ransomware attacks increased 6,000% in 2016 compared to the previous year. Security experts predict ransomware attacks will increase in 2017, due to their ease of deployment and a lack of strong cybersecurity measures in many companies, as TechRepublic's Dan Patterson reported. While all business sectors are at risk of ransomware attacks, in the past few years, healthcare, finance, education, government, and retail were hit the hardest.
You help your company avoid ransomware attacks by keeping software up to date, backing up all information every day to a secure, offsite location, segmenting your network, performing penetration testing, and training staff on cyber security practices.
The 3 big takeaways for TechRepublic readers
- A new ransomware campaign called GoldenEye is targeting German-speaking HR departments, infecting computers via fake job applications, according to a new report from Check Point.
- HR departments are especially susceptible to ransomware attacks because staff typically cannot avoid opening emails from people they do not know.
- Security experts predict that ransomware attacks will continue to grow in 2017, but there are several steps companies can take to protect themselves.