Cyber criminals are targeting companies’ human resources departments with malware-infected job applications, according to online security firm Check Point.
Researchers at the software technology company have explained how hackers are exploiting the fact that workers in personnel departments often spend much of their day opening application documents by embedding GoldenEye, a variant of the Petya ransomware virus, in resumes and covering letters.
At present, the criminals are behind the attacks are targeting German firms, and are even going to the trouble of tailoring individual cover notes to make their applications appear more genuine.
The hackers send an initial message directing the recipient to two infected attachments. The first is a PDF cover letter that does not contain any malware, which is intended to reassure the victim that the application is genuine. The second is an Excel spreadsheet purporting to contain a completed application form, which contains the GoldenEye payload.
When opened, the Excel sheet asks the recipient to enable Macros. If they do, the malware begins executing code that encrypts the user’s files before asking them to pay a ransom to unlock them.
“After displaying the ransom note, GoldenEye forces a reboot and starts encrypting the disk,” a Check Point analyst writes.
“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake ‘chkdsk’ screen, as in previous Petya variants. Following the encryption of the disk, the victim is presented with a boot-level ransom note.”
At this stage, the victim is directed to a dark web portal where they are instructed to pay a ransom of 1.3 Bitcoins (€1,212) to decrypt their files. Check Point said that ransom demands vary around this amount, suggesting the hackers behind the cyber scam are looking to clear $1,000 from each victim.
The hackers behind GoldenEye are also thought to offer ransomware-as-a-service plans. Sold on the dark web, these schemes allow anybody who has the technical skills required to access hidden websites to pay a fee to launch their own ransomware attacks.
In its 2016 Internet Organised Crime Threat Assessment, Europol said ransomware is the biggest online threat facing EU law enforcement.
“While police ransomware appears to have dropped off the radar almost completely, the number of cryptoware variants has multiplied,” the report said.
“Whereas each variant has its own unique properties, many are adopting similar anonymisation strategies such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions.”
In response to the threat, Europol and a range of partners last year launched the No More Ransom campaign, which is designed to raise awareness of ransomware attacks and offer victims advice on what to do if they are targeted.