Petya-Mischa Ransomware variant GoldenEye

[German]Petya-Mischa ransomware seems to return as "GoldenEye", hitting German companies. Currently the e-mail spam campaign spreading GoldenEye addresses German speaking users so far. 


Human resources department as target

The spam e-mails are addressing people in German human resources department – suggesting it will be a legit application.

E-Mail mit Ransomware
(Source: Bleeping Computer)

The e-mail body contains the name of a person within the human resources department and also addresses job offers from this company as well as non public e-mail-addresses and phone numbers of this employee. The mail contains a PDF document with further details to make it more serious looking. Attached is also an Excel .xls file, suggesting that it contains a resume or curriculum vitae.


If the receiver of this spam mail opens the Excel file, he will be greeted with a German message, suggesting to enable the Excel feature to edit the document. If the user enables this feature, a macro will be executed. This macro load some encryption Trojans and begin to encrypt user data. Afterward, the ransomware displays a note:


(Source: Bleeping Computer)

On the given website the cyber criminals requests 1,33 bitcoins to unencrypt the user data. The Trojan also tries to install a new master boot record (MBR) to encrypt more files. Further details may be found within my German article or at Bleeping Computer.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *