If your business is hiring, you should be aware of a new phishing attack in which cybercriminals are posing as job applicants. Falling victim to this attack may leave your business infected with the GoldenEye ransomware. This phishing campaign was initiated in Germany, but security experts expect it will go global.
How the Attack Works
Hackers like to target HR staff members because they often open emails and attachments sent by strangers. In the GoldenEye attack, cybercriminals are sending phishing emails that have the word "application" in the subject line to HR departments. The emails include two attachments: a PDF file and a Microsoft Excel spreadsheet.
The PDF file, which does not contain any malicious code, is a cover letter. Its purpose is to reassure HR staff members that they are dealing with a real job applicant. To make the cover letter seem more legitimate, the hackers even include a person’s photo. The cover letter tells the HR staff members to see the attached Excel file, which supposedly includes a resume, references, and an aptitude profile.
If the HR staff members open the Excel spreadsheet, a visual element indicates that the information is loading. An accompanying message tells them to "please use the editing options to display the aptitude profile". This is meant to trick the HR staff into clicking the "Enable Content" option, which will appear if Excel is left at its default setting of "Disable all macros with notification". A Word macro is a small program that lets you execute complex procedures with a single command or keyboard stroke. In this case, the macro’s commands instruct the computer to download the GoldenEye ransomware from a remote server and install it.
Once installed, GoldenEye first encrypts the victim’s files. Afterward, it displays a ransom note that asks for 1.3 bitcoins to decrypt the files. But the ransomware does not stop there. It restarts the computer and encrypts the hard disk’s master file table (MFT), which cripples the computer. The victim then receives a second ransom note that asks for an additional 1.3 bitcoins to decrypt the MFT. GoldenEye uses different algorithms and keys to encrypt the files and MFT, so victims need to pay both ransoms if they have not backed up their files and applications.
What You Can Do to Protect Your Business
The most important way to protect your business from the GoldenEye ransomware is to regularly back up your files and applications. Having backups on hand means you won’t have to pay any ransom. However, it won’t prevent a GoldenEye infection. For this reason, you might consider taking the following precautions:
- Let the HR staff know about the dangers of enabling Excel macros. Assuming that the default macro setting has not been changed, the only way to unleash GoldenEye is if the HR staff (or someone else involved in the hiring process) opens the attached Excel file and allows the macro to run. Thus, warning the HR staff about the dangers of enabling macros is a good idea.
- Educate the HR staff about phishing emails. Taking the time to educate HR staff about the GoldenEye phishing email as well as how to spot other phishing emails will help reduce the likeliness of them falling victim to an attack.
- Use anti-malware software. While anti-malware software might not catch this macro-based attack (the macro contains download commands rather than the actual ransomware), it is still important to use anti-malware software. It can detect the malicious code that does make it onto a computer.
Take Action Now as Waiting Could Be Costly
If you do not regularly back up your business’s files and applications, now is a good time to get a process in place. Not doing so might mean you have to pay multiple ransoms if one of your computers becomes infected with GoldenEye — and paying the ransoms does not guarantee you will get the keys needed to decrypt your files and applications. If you need help in developing and implementing a backup strategy, contact us.