Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Campaign Targets HR Departments

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

The attack starts with emails designed to mimic job applications, which contain not only a brief message from the alleged applicant, but also two attachments that ultimately lead to ransomware. According to Check Point researchers, the campaign targets HR departments because people working there usually cannot avoid opening emails and attachments from strangers.

Spam emails have long been used as a major infection vector for different malware types, and it’s no surprise that cybercriminals continue to use this attack method. The newly observed campaign is distributing the GoldenEye ransomware family, which is the offspring of Petya and Mischa, a malware duo that emerged in the spring of 2016.

The campaign, Check Point researchers reveal, targets German speakers and features a cover letter in a non-malicious PDF as attachment, meant to trick the potential victim into believing that the email might be legitimate. However, there is a second attachment that features malicious intent: a macro-enabled Excel file.

The victim is lured into enabling the macro and, as soon as that happens, the code inside the macro initiates the file-encryption process, ultimately denying the user access to their files. Next, the ransomware appends a random 8-character extension to each encrypted file, drops a ransom note, and then forces a reboot to encrypt the disk.

“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants,” Check Point security researchers explain. A boot-level ransom note is displayed after that.

Petya would force the reboot to start encrypting the hard disk’s Master Boot Record (MBR), after which it would display the boot-level ransom note as well. The difference between the two is that Petya didn’t encrypt user files as well (Mischa did that, but only if Petya failed to encrypt the MBR), and that GoldenEye uses a yellow colored ransom note instead of a red or green one.

Victims are directed to a Dark Web portal where they can enter a “personal decryption code” to pay the ransom. A support page is available on the site, allowing victims to send messages to the malware operators should they encounter issues with the payment or decryption process.

GoldenEye usually demands a 1.3 Bitcoins (BTC) ransom, but researchers have observed slight variations (ranging from 1.33 to 1.39 BTC). “We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation,” the security researchers say.

Related: Holiday-Themed Spam Campaigns Ramp Up

Related: HDDCryptor Ransomware Variant Used in San Francisco Rail System Attack

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...