Petya-Mischa Ransomware variant GoldenEye

[German]Petya-Mischa ransomware seems to return as “GoldenEye”, hitting German companies. Currently the e-mail spam campaign spreading GoldenEye addresses German speaking users so far. 


Advertising

Human resources department as target

The spam e-mails are addressing people in German human resources department – suggesting it will be a legit application.

E-Mail mit Ransomware
(Source: Bleeping Computer)

The e-mail body contains the name of a person within the human resources department and also addresses job offers from this company as well as non public e-mail-addresses and phone numbers of this employee. The mail contains a PDF document with further details to make it more serious looking. Attached is also an Excel .xls file, suggesting that it contains a resume or curriculum vitae.

Excel-Dokument
(Source: malwr.com)

If the receiver of this spam mail opens the Excel file, he will be greeted with a German message, suggesting to enable the Excel feature to edit the document. If the user enables this feature, a macro will be executed. This macro load some encryption Trojans and begin to encrypt user data. Afterward, the ransomware displays a note:


Advertising


(Source: Bleeping Computer)

On the given website the cyber criminals requests 1,33 bitcoins to unencrypt the user data. The Trojan also tries to install a new master boot record (MBR) to encrypt more files. Further details may be found within my German article or at Bleeping Computer.


Advertising
This entry was posted in Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *