Connect with us

Hi, what are you looking for?


Malware & Threats

Petya Variant Goldeneye Emerges

A variant of the Petya ransomware has emerged recently, which has been renamed to Goldeneye, but shows almost no differences when compared to the original, security researchers warn.

A variant of the Petya ransomware has emerged recently, which has been renamed to Goldeneye, but shows almost no differences when compared to the original, security researchers warn.

Initially spotted in March this year, Petya became known because it didn’t encrypt user’s files, but modified the MBR (Master Boot Record) in a two-step process and denied access to the entire hard disk. A couple of months later, Petya’s authors decided to bundle the malware with a second ransomware, Mischa, which would kick in when Petya’s encryption process failed.

In July, the Petya-Mischa bundle had already inspired similar threats and was being sold as a Ransomware-as-a-Service (RaaS). While the malware’s behavior didn’t change between those updates, researchers noticed a major difference from the original modus operandi to the one employed by the latest variant using the Goldeneye name.

The ransomware is currently being distributed via resume-themed spam emails targeting enterprise users in Germany. Two attachments are included in the spam emails, one being a fake resume, while the other is an Excel spreadsheet that contains malicious macros designed to install the malware, BleepingComputer explains.

As soon as the victim enables the macros, embedded base64 strings are launched and saved into an executable file in the temp folder, which is then executed to start encrypting the files on the computer. Only after completing the encryption, the malware attempts to modify the MBR, which is the opposite of what Petya-Mischa did before, when they first attacked the MBR and only then encrypted files.

Goldeneye appends a random 8-character extension to the encrypted files, and then modifies the MBR with a custom boot loader. As soon as the encryption operation has been completed, a ransom note is displayed, but only for a short period of time, because the malware reboots the infected computer to encrypt the hard drive’s MFT (Master File Table) to deny access to files.

The ransom screen displayed by the new variant is almost identical to that used by Petya, with only one change made to it: the word “files” has been replaced with “harddisks,” Avira reveals. The text color was modified to yellow, after being red in the initial version and green after Mischa came into play. Goldeneye asks victims to pay a $1,000 ransom and directs users to a Dark Web portal that also includes a support area.

Related: Locky Variant Osiris Distributed via Excel Documents

Advertisement. Scroll to continue reading.

Related: HDDCryptor Ransomware Variant Used in San Francisco Rail System Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.