The ransomware is currently distributed via spam campaigns that at the moment seem to be targeting German-speaking users.
The spam emails use the classic resume theme and come with two files attachments and have a subject starting with the word Bewerbung as shown below.
The first attachment is a fake resume that is being used to convince the human resources department that the email is legitimate. You can see one of the pages of this PDF below.
The Excel spreadsheet, as shown below, is the main installer for the GoldenEye ransomware as it contains a malicious macro that installs the GoldenEye ransomware.
In the spam campaign observed in the past days, the Excel files have the following names:
When a user clicks on the Enable Content button, the macro will launch and save embedded base64 strings into an executable file in the temp folder. When the file has finished being created, the VBA script will automatically launch the program, which begins the encryption process on the computer.
You can see a small portion of the deobfuscated VBA macro that generates the installer below. I have posted the full VBA script here.
How GoldenEye Encrypts a Computer
Once the ransomware takes root, its modus operandi is a little different than how Petya and Mischa functioned in the past. In the Petya/Mischa ransomware infections, if the Petya could not gain Administrative privileges to overwrite the MBR, it would run the standard file encrypting portion that was called Mischa. GoldenEye on the other hand first encrypts the files on the computer and then tries to install the MBR bootkit to encrypt the drive’s MFT.
The GoldenEye variant starts by encrypting the user’s files, just like regular ransomware. For each file it encrypts, GoldenEye appends a random 8-character extension at the end.
The ransomware then also modifies the user’s hard drive MBR (Master Boot Record), with a custom boot loader.
Once this operation ends, the ransomware shows the following ransom note. The file’s name is YOUR_FILES_ARE_ENCRYPTED.TXT.
This is the “Mischa” part of the Petya-Mischa combo. Mischa acts as a regular file encryptor, while Petya is the hard drive locker.
Shortly after displaying the ransom note, GoldenEye enters in the Petya part of the file encryption process.
This occurs when the ransomware forcibly reboots the user’s computer and enters a stage where it starts encrypting the user’s hard drive MFT (Master File Table), making it impossible to access any files on the hard disk.
The MFT encryption process is masked by a fake chkdsk screen, just like in past Petya variants.
After this process ends, we see more visible changes from previous Petya-Mischa infections, which is a new ransom screen.
Technically, this boot level ransom note is the same as previous Petya screens, but it’s now displayed using yellow-colored text. Initially, Petya used red text, and then switched to green when the Mischa component was added.
Users that want to recover files must take the “personal decryption code” from the ransom note and enter it on a Dark Web portal. The GoldenEye Petya version asks for 1.33284506 Bitcoin (roughly $1,000).
The Dark Web portal also includes a support area, where one user has already reported that GoldenEye has caused his computer to crash.
While GoldenEye tries to pass as a brand new ransomware, its modus operandi, ransom note texts, and about anything else give it away as a rebranded Petya-Mischa combo.
The Petya ransomware first appeared in March 2016, and in its first version only encrypted the MBR and MFT. Because this process caused multiple errors that stopped the encryption process and needed admin privileges to run correctly, in May, its creator added the Mischa file encryptor component to Petya, so to encrypt files to “classic” way, in case the HDD encryptor fails.
The man responsible for Petya and Mischa is a cyber-criminal that goes by the name of Janus, who up until October 2016 ran the Janus Cybercrime website, where he offered the Petya & Mischa ransomware combo as a RaaS (Ransomware as a Service).
In July, Janus also sabotaged one of his competitors by releasing the decryption keys for the Chimera ransomware.
Janus Syndicate is also the name of the cybercrime syndicate that was featured in the 1995 James Bond film GoldenEye.
As a result, we are urging companies to take the following measures:
- Inform all HR staff of the scam
- Disable Macros
- Update Anti-Virus software
It is currently unclear how many people have been infected with GoldenEye, but as the new strain of ransomware evolves, the threat may spread to more regions.
“Our mission is to keep customers’ businesses running, no matter what”