GoldenEye takes aim, and it's got HR in the crosshair

A sophisticated new strain of Ransomware has emerged, and it’s got HR in the crosshair.

Since 4am on the 6th December, HR personnel in Germany have been under siege. Cyber Criminals have launched an attack targeting those responsible for recruitment. The perpetrators appear have a great deal of data, with details of both advertised vacancies and the email addresses of internal staff. As a result, the attacks are comprised of highly convincing phishing emails.

According to German website Heise.de, emails are arriving with an innocuous sender name, such as ‘rolf.drescher@’ or ‘drescher1988@’. The email, titled ‘Bewerbung’ (‘application’), includes a polite cover letter, authentic CV - and an excel file. This file, once opened, triggers an infection as it contains a malicious macro. The malware itself is a hybrid of the Petya and MISCHA strains.

Image from Bleeping Computer

It’s no wonder that GoldenEye is spreading.

The ransom demanded is 1.33284506 Bitcoin (or €940/£810), and there’s currently no encryption key available. As a result, German authorities are urging companies to take the following measures:

• Inform all HR staff of the scam

• Disable Macros

• Update Anti-Virus software (although recognition isn’t ideal)

• Backup, don’t Pay Up

The malware is still evolving; although initially limited to Rolf, new ‘names’ and identities have emerged today. It’s not known yet how many companies have been affected.

This refined and focused attack demonstrates that Ransomware isn’t just prolific - it’s getting smarter. And it’s a very bad time to be a jobseeker called Rolf.