GoldenEye strikes HR departments

Researchers at security vendor Check Point have warned of a ransomware attack targeting HR departments. This attack is currently targeted at German speaking companies and pretends to be a job application. Researchers say that the email comes with two attachments. A covering letter which is a standard PDF and an Excel file containing the GoldenEye variant of the Petya ransomware.

Surging Bitcoin prices mean bumper paydays

According to the blog, when the user opens the Excel file: “It contains a picture of a flower with the word “Loading…” underneath, and a text in German asking the victim to enable content so that the macros can run.” Once enabled the macros begin encrypting the local user files before displaying the ransom note: “YOUR_FILES_ARE_ENCRYPTED.TXT”

The computer is then rebooted and GoldenEye begins encrypting the entire hard disk. Eventually the user is presented with a message telling them they are infected with the GoldenEye ransomware. They are asked to download the Tor Browser and pay a ransom of at least 1.3 Bitcoin (BTC).

The surge in value for Bitcoin at the end of 2016 has driven the price up. As of today the price of a single Bitcoin is $1,148 meaning that unlocking the computer will cost the user almost $1,500. Interestingly the researchers believe that the malware owner is trying to get around $1,000 per victim. This means that with the fluctuation in the price of BTC they will have to keep adjusting their ransom demands.

Ransomware as a Service a lucrative business

Back in August, website Bleeping Computer reported both the Petya and Mischa ransomware looking for distributors. It offered distributors a Ransomware as a Service (RaaS) approach. This meant that the more infections they achieved the more they earned. The top rate of bringing in over 125 BTC per week allowed the distributor to keep 85% of the revenue.

At today’s price, a distributor bringing in 126 BTC per week would earn around $123,000. This is likely to be a serious factor behind the surge in ransomware based on Petya and Mischa. Interestingly Check Point says that the developer of Petya stopped running the website in October last year. There is no evidence that they have stopped offering the malware as RaaS.

A new year but an old attack

The Check Point researchers say that this is not a new attack. Last year the Cerber ransomware used this same approach to infect companies via their HR departments. With both Cerber and Petya being distributed as RaaS the researchers believe that just a single threat actor is behind both sets of attacks.


Threat actors will always find the weak point in a company. Sending purchase orders to sales teams, invoices to accounts departments and fake CVs to HR. These are all simple attacks which require little effort on the part of the threat actor. The problem for organisations is educating staff to spot the attacks.

Unlike infected attachments sent to other departments who could try and validate the emails, those sent the HR are harder to spot. This is where organisations need to improve their own internal security alerting. This story should have already resulted in HR teams being sent a warning over fake CVs. The fact that there is a distinct two file signature should something they can quickly spot.

The reality, however, is that few companies will have alerted their HR departments about the attack. The reliance on detecting the infections through security software is not good enough. Those solutions rely on the security vendors updating their software solutions to pick up the attack. They also rely heavily on the internal security teams patching servers and local machines.

Unsurprisingly Check Point ended the blog pointing to products of their own that they claim will stop the attacks.


Please enter your comment!
Please enter your name here