This Ransomware Campaign Targets Only HR Departments

Malware and Ransomware have long proven to be one of the major threat for both enterprises and consumers, and a recent ransomware campaign is targeting corporate Human Resources (HR) departments and shows that the threat to businesses is still raising.

The attack first starts with the emails that are designed to mimic the job applications, these contain a brief message from the alleged applicant, and also two attachments which are there to lead to the ransomware. According to the Check Point researchers, this campaign targets HR departments because the people who work in the HR department cannot avoid opening the emails and attachments they recieved from strangers.

Spam emails are used as the major source of infection in many malware types, and it is no surprise to us that cybercriminals will continue to use this attack method. The malware campaigning here we are talking is distributing the GoldenEye ransomware family, which is a child of Petya and Mischa, a malware duo emerged back in the spring of 2016.

The campaign which the Check Point researchers revealed targets German speakers and also features a cover letter inside a non-malicious PDF as an attachment that is meant to trick the potential victim into believing the email might be legitimate. However, there is a second attachment which features the malicious intent: a macro-enabled Excel file.

The victim is lured into enabling the macro and, as soon as that happens, the code inside the macro initiates the file-encryption process, ultimately denying the user access to their files. Next, the ransomware appends a random 8-character extension to each encrypted file, drops a ransom note, and then forces a reboot to encrypt the disk.

“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants,” Check Point security researchers explain. A boot-level ransom note is displayed after that.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil