[German]Petya-Mischa ransomware seems to return as "GoldenEye", hitting German companies. Currently the e-mail spam campaign spreading GoldenEye addresses German speaking users so far.
Advertising
Human resources department as target
The spam e-mails are addressing people in German human resources department – suggesting it will be a legit application.
(Source: Bleeping Computer)
The e-mail body contains the name of a person within the human resources department and also addresses job offers from this company as well as non public e-mail-addresses and phone numbers of this employee. The mail contains a PDF document with further details to make it more serious looking. Attached is also an Excel .xls file, suggesting that it contains a resume or curriculum vitae.
(Source: malwr.com)
If the receiver of this spam mail opens the Excel file, he will be greeted with a German message, suggesting to enable the Excel feature to edit the document. If the user enables this feature, a macro will be executed. This macro load some encryption Trojans and begin to encrypt user data. Afterward, the ransomware displays a note:
Advertising
(Source: Bleeping Computer)
On the given website the cyber criminals requests 1,33 bitcoins to unencrypt the user data. The Trojan also tries to install a new master boot record (MBR) to encrypt more files. Further details may be found within my German article or at Bleeping Computer.
