Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Campaign Targets HR Departments

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

The attack starts with emails designed to mimic job applications, which contain not only a brief message from the alleged applicant, but also two attachments that ultimately lead to ransomware. According to Check Point researchers, the campaign targets HR departments because people working there usually cannot avoid opening emails and attachments from strangers.

Spam emails have long been used as a major infection vector for different malware types, and it’s no surprise that cybercriminals continue to use this attack method. The newly observed campaign is distributing the GoldenEye ransomware family, which is the offspring of Petya and Mischa, a malware duo that emerged in the spring of 2016.

The campaign, Check Point researchers reveal, targets German speakers and features a cover letter in a non-malicious PDF as attachment, meant to trick the potential victim into believing that the email might be legitimate. However, there is a second attachment that features malicious intent: a macro-enabled Excel file.

The victim is lured into enabling the macro and, as soon as that happens, the code inside the macro initiates the file-encryption process, ultimately denying the user access to their files. Next, the ransomware appends a random 8-character extension to each encrypted file, drops a ransom note, and then forces a reboot to encrypt the disk.

“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants,” Check Point security researchers explain. A boot-level ransom note is displayed after that.

Petya would force the reboot to start encrypting the hard disk’s Master Boot Record (MBR), after which it would display the boot-level ransom note as well. The difference between the two is that Petya didn’t encrypt user files as well (Mischa did that, but only if Petya failed to encrypt the MBR), and that GoldenEye uses a yellow colored ransom note instead of a red or green one.

Victims are directed to a Dark Web portal where they can enter a “personal decryption code” to pay the ransom. A support page is available on the site, allowing victims to send messages to the malware operators should they encounter issues with the payment or decryption process.

GoldenEye usually demands a 1.3 Bitcoins (BTC) ransom, but researchers have observed slight variations (ranging from 1.33 to 1.39 BTC). “We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation,” the security researchers say.

Related: Holiday-Themed Spam Campaigns Ramp Up

Related: HDDCryptor Ransomware Variant Used in San Francisco Rail System Attack

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.