GoldenEye Ransomware hitting recruitment industry

Written by: Gerard
Blog
25 January, 2017

Read in: Nederlands

Since a few weeks cyber criminals are specifically targeting HR professionals. An email that appears to come from a candidate, encrypts after opening the files on your computer. And can only be retrieved again if you have paid ransom. In this blog our security specialist Gerard Arall explains what ransomware is and how to minimise the risk of being affected.

Ransomware?

Ransomware is a blackmail method on the internet by malware. It is a program that encrypts a computer’s data and then charges the user for the decryption password.

The GoldenEye ransomware was initially distributed by phishing emails, targeting Germany. However, the threat spread out globally.

How do you recognise it?

When GoldenEye tries to infect a computer, it sends an email to recruiters which looks like a normal application, with two files attached:

  • The first one is a non-malware PDF file, that tricks the user to believe that it is a normal job application.
  • The second file is an Excel file, which contains a form with the job request itself. And here the alarm bells should be ringing for recruiters. This second Excel file is where the malware resides. When you open it, Excel will request to enable the Visual Basic for Applications (VBA) macros to load the content.GoldenEye Ransomware Endouble 1

Infection

Once you enable the macro, the ransomware silently starts its attack, encrypting all your files and leaving a message with the ransom text file. Once it is done, the malware will also reboot your computer and from that moment on you’re not able to reach your files anymore. Instead of that, the ransom message appears:Goldeneye ransomware 3

Ransom amount

To unlock the files, the ransomware asks to visit a Tor-based site. Once you visit the page, the steps of how to purchase Bitcoins and how to pay the ransom will be shown.

GoldenEye demands 1.3 Bitcoins (more or less € 1.100 today). After paying the ransom, you are provided with a key to recover the files. In addition, you risk a fine of the (Dutch) ‘Autoriteit Persoonsgegevens’ because personal information is leaked.Goldeneye ransomware Endouble 2

Protection tips

This all sounds pretty scary but we will give you some tips which will help you not to be affected. At Endouble we are daily serving thousands of application submissions to our clients. As we work with Unix machines, this doesn’t directly affect us, but it does to our clients. That’s why we suggest to follow some security advices in order to minimise the risk.

  • Backups

Regularly backup your important files on a separated device. If the worst happens, you will have a copy of your files safely stored.

  • Anti-spam filter

Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. Make sure your email provider is blocking dubious attachments with extensions like .exe, .vbs, .src and .pkg.

  • Software updates

Make sure your software is up-to-date. Ransomware is also targeting outdated software that contains security issues / vulnerabilities. Especially your operating system, your browser and Flash / Java plugins.

  • Microsoft Office

Enhance the security of your office suite components like Word, Excel, PowerPoint and Access. In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the machine. You can find more information about this.

  • Antivirus

Install and use an up-to-date antivirus solution. It will not help you with the newest threats, but it will help preventing the most known ones.

  • Common sense

Finally, stay informed. One of the most common ways that computers are infected with ransomware is through social engineering. Educate yourself on how to detect phishing campaigns, suspicious websites, and other scams. And above all else, exercise common sense. If it seems suspect, it probably is.

More Blogposts