Despite trying to brand itself as a new malware, GoldenEye, the latest Petya variant, is very similar to older versions and differs mostly in its “golden” motif. The most prominent change, however, is how the campaign spreads the ransomware.
The current campaign used to distribute GoldenEye has a job application theme. It is therefore aimed at companies’ Human Resources departments, due to the fact they usually cannot avoid opening emails and attachments from strangers, a common malware infection method.
HR-Targeted Ransomware
The new campaign targets German speakers and mimics a job application. The email contains a brief message supposedly from a job applicant and contains two attachments as can be seen below.
The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver. It contains a picture of a flower with the word “Loading…” underneath, and a text in German asking the victim to enable content so that the macros can run.
Image 1: Screenshot of the email campaign
Image 2: The PDF Cover letter, with no malicious content
Check Point security researchers observed the spam campaign running in the past few days, and identified that Excel files have different names. They follow a similar concept, starting with a name of a job-seeking “candidate”, and the word “application” in German (“Bewerbung”):
Wiebold-Bewerbung.xls
Meinel-Bewerbung.xls
Seidel-Bewerbung.xls
Wüst-Bewerbung.xls
Born-Bewerbung.xls
Schlosser-Bewerbung.xls
Image 3: The Excel file requesting to run macros
Encryption Process
When a user clicks “Enable Content”, the code inside the macro executes and initiates the process of encrypting the files, denying the victim access to his or her files.
GoldenEye then, appends a random 8-character extension to each encrypted file. After all the files are encrypted, GoldenEye presents the ransom note: “YOUR_FILES_ARE_ENCRYPTED.TXT”
After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk. This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants.
Image 4: fake “chkdsk” screen
Following the encryption of the disk, the victim is presented with a boot-level ransom note.
The ransom note content is the same as in previous Petya variants; however, GoldenEye uses a yellow colored text instead of red or green.
The victim is presented with a “personal decryption code”, which he can enter in a Dark Web portal in order to pay the ransom. The Dark Web portal includes a support page, where victims can send messages to the GoldenEye admin if they have issues with the payment or decryption process.
The current ransom demanded by GoldenEye begins at 1.3 BitCoins (BTC), which are approximately $1,000, with observed figures between 1.33 and 1.39 BTC. We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation.
The developer behind Petya is a cyber-criminal who goes by the name of Janus. Up to October 2016, Janus ran the “Janus Cybercrime” website, where Petya was offered in combination with another ransomware, Mischa, as a Ransomware-as-a-Service. Janus is also the name of the cybercrime syndicate that was featured in the James Bond film GoldenEye, released in 1995.
A Non-Coincidental Resemblance
If the Bewerbung campaign sounds familiar, it is probably because it was used in the past by the Cerber ransomware [3]. As both Petya/GoldenEye and Cerber act as ransomware as-a-service (RaaS), it is very likely that there is one threat actor leveraging the German CV campaign to send both malware types to his/her victims.
How Can You Stay Protected?
Check Point SandBlast Zero Day Protection Blade protects against this threat.
A Check Point Forensics report of this threat can be seen here.
References:
- “Petya – Taking Ransomware to the Low Level.” Blog post. Malwarebytes Labs. Malwarebytes, 01 Apr. 2016. Web. 07 Dec. 2016. <https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/>.
- Cimpanu, Catalin. “Petya Ransomware Returns with GoldenEye Version, Continuing James Bond Theme.” Blog post. BleepingComputer. Bleeping Computer® LLC, 06 Dec. 2016. Web. 07 Dec. 2016. < https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/>.
- Check Point Threat Intelligence Research Team. “CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service.” Blog post. Check Point Blog. Check Point Software Technologies Ltd., 16 Aug. 2016. Web. 14 Dec. 2016. < http://blog.checkpoint.com/2016/08/16/cerberring/>.