If your business is hiring, you should be aware of a new phishing attack in which cybercriminals are posing as job applicants. Falling victim to this attack may leave your business infected with the GoldenEye ransomware. This phishing campaign was initiated in Germany, but security experts expect it will go global.
Hackers like to target HR staff members because they often open emails and attachments sent by strangers. In the GoldenEye attack, cybercriminals are sending phishing emails that have the word "application" in the subject line to HR departments. The emails include two attachments: a PDF file and a Microsoft Excel spreadsheet.
The PDF file, which does not contain any malicious code, is a cover letter. Its purpose is to reassure HR staff members that they are dealing with a real job applicant. To make the cover letter seem more legitimate, the hackers even include a person’s photo. The cover letter tells the HR staff members to see the attached Excel file, which supposedly includes a resume, references, and an aptitude profile.
If the HR staff members open the Excel spreadsheet, a visual element indicates that the information is loading. An accompanying message tells them to "please use the editing options to display the aptitude profile". This is meant to trick the HR staff into clicking the "Enable Content" option, which will appear if Excel is left at its default setting of "Disable all macros with notification". A Word macro is a small program that lets you execute complex procedures with a single command or keyboard stroke. In this case, the macro’s commands instruct the computer to download the GoldenEye ransomware from a remote server and install it.
Once installed, GoldenEye first encrypts the victim’s files. Afterward, it displays a ransom note that asks for 1.3 bitcoins to decrypt the files. But the ransomware does not stop there. It restarts the computer and encrypts the hard disk’s master file table (MFT), which cripples the computer. The victim then receives a second ransom note that asks for an additional 1.3 bitcoins to decrypt the MFT. GoldenEye uses different algorithms and keys to encrypt the files and MFT, so victims need to pay both ransoms if they have not backed up their files and applications.
The most important way to protect your business from the GoldenEye ransomware is to regularly back up your files and applications. Having backups on hand means you won’t have to pay any ransom. However, it won’t prevent a GoldenEye infection. For this reason, you might consider taking the following precautions:
If you do not regularly back up your business’s files and applications, now is a good time to get a process in place. Not doing so might mean you have to pay multiple ransoms if one of your computers becomes infected with GoldenEye — and paying the ransoms does not guarantee you will get the keys needed to decrypt your files and applications. If you need help in developing and implementing a backup strategy, contact us.
About CHIPS Computer Services
CHIPS Computer Services is an award winning Managed Services Provider specializing in help businesses increase efficiencies and profits by levering properly managed technology. To learn how CHIPS can help your business, email us at firstname.lastname@example.org to schedule no cost business assessment.