Connect with us

Hi, what are you looking for?



Ransomware Campaign Targets HR Departments

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

Ransomware has long proven to be a major threat for both consumers and enterprises, and a recent campaign targeting corporate Human Resources (HR) departments shows the threat to businesses continues to rise.

The attack starts with emails designed to mimic job applications, which contain not only a brief message from the alleged applicant, but also two attachments that ultimately lead to ransomware. According to Check Point researchers, the campaign targets HR departments because people working there usually cannot avoid opening emails and attachments from strangers.

Spam emails have long been used as a major infection vector for different malware types, and it’s no surprise that cybercriminals continue to use this attack method. The newly observed campaign is distributing the GoldenEye ransomware family, which is the offspring of Petya and Mischa, a malware duo that emerged in the spring of 2016.

The campaign, Check Point researchers reveal, targets German speakers and features a cover letter in a non-malicious PDF as attachment, meant to trick the potential victim into believing that the email might be legitimate. However, there is a second attachment that features malicious intent: a macro-enabled Excel file.

The victim is lured into enabling the macro and, as soon as that happens, the code inside the macro initiates the file-encryption process, ultimately denying the user access to their files. Next, the ransomware appends a random 8-character extension to each encrypted file, drops a ransom note, and then forces a reboot to encrypt the disk.

“This action makes it impossible to access any files on the hard disk. While the disk undergoes encryption, the victim sees a fake “chkdsk” screen, as in previous Petya variants,” Check Point security researchers explain. A boot-level ransom note is displayed after that.

Petya would force the reboot to start encrypting the hard disk’s Master Boot Record (MBR), after which it would display the boot-level ransom note as well. The difference between the two is that Petya didn’t encrypt user files as well (Mischa did that, but only if Petya failed to encrypt the MBR), and that GoldenEye uses a yellow colored ransom note instead of a red or green one.

Victims are directed to a Dark Web portal where they can enter a “personal decryption code” to pay the ransom. A support page is available on the site, allowing victims to send messages to the malware operators should they encounter issues with the payment or decryption process.

Advertisement. Scroll to continue reading.

GoldenEye usually demands a 1.3 Bitcoins (BTC) ransom, but researchers have observed slight variations (ranging from 1.33 to 1.39 BTC). “We can assume that the actor behind GoldenEye aims to receive $1,000 for each infection, and so the actual ransom amount varies according to BTC price fluctuation,” the security researchers say.

Related: Holiday-Themed Spam Campaigns Ramp Up

Related: HDDCryptor Ransomware Variant Used in San Francisco Rail System Attack

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.