Meet the Worst Candidate for the Job—Petya

Petya GoldenEye James Bond

The new variant of Petya doesn’t have a preference between shaken or stirred. Mostly it’s just in favor of causing a frenzy as the new ransomware, GoldenEye. Much like the James Bond film it’s named for, it is making a bold return.

What is Petya?

Petya is a unique ransomware threat that appeared in the beginning of 2016. Instead of simply encrypting a user’s files, it works by encrypting the master file table (MFT) used by NTFS disk partitions to store file information.

In the attack, each affected system’s master boot record (MBR) is overwritten, then the 32-sectors long kernel proceeds to encrypt. Once the Petya executes, the machine will crash, reboot, and present a skull-and-crossbones animation.

In the ransom note, the threat actors demand payment by bitcoin to decrypt the system. While the statement alludes to the full disk having been encrypted, it actually encrypts the master file table (MFT), rendering the system unreadable.

How Does GoldenEye Differ?

GoldenEye is the Petya/Mischa combo that infects recipients with two demands for bitcoin payments. Modeled as a job application, the spam campaign targets German speakers, specifically with human resource titles.

In a sneaky effort to have employees open the file, the malicious actors include the word “application” in the subject line. With HR departments receiving such a high volumes of resumes, the emails are opened without a second thought.

Lending credibility to the malicious file, an innocuous resume is included with a photo of the supposed job applicant. Then lurking inside, there is also a link for recipients to open an XLS file that requires macros to be enabled.

 

 

Petya with Flower
Figure 1: Image Text Above Translates to:
“Please activate the editing function to display this profile correctly.”

 

Unsuspecting HR employees continue to enable the macros only to have a VBScript run in the background, spurring the takeover by the executable. GoldenEye differentiates itself through a modified version of Petya to encrypt the MFT before the MBR is overwritten.

In the end, victims are met with a 1.3 bitcoin demand (about $1,000) on two pay pages without the guarantee that decryption keys will be provided.

 

 

Petya Figure 2 GoldenEye
Figure 2: GoldenEye Ransom Note

 

The Dangers of Sugarcoated Entry

Typical signs of phishing campaigns might include poorly written emails flush with spelling errors, or perhaps emails containing Office files. In the case of GoldenEye, the scammers have thought through how to get past the most security-educated HR employees.  

“If you like, do take a look at the other file, where I have put all the dull and boring stuff that HR departments need. It’s up to you. No pressure. And while you are thinking about it, here’s a picture of me, a respectable-looking, polite young man looking for a respectable career. Have a nice day.” is probably refreshing to the HR person inundated with boring “me-centric” resumes.

GoldenEye not only exploits a victim’s files, but their psyche as well. The old adage goes: you can catch more flies with honey than vinegar. In this case, it’s proving to be very effective.

As malicious actors become more thoughtful in their ransomware campaigns, we must stay on top of all the latest threats. By educating users on what to look for, there is a better chance of avoiding paying ransoms.

To help you do that we’ve started a Ransomware Roundup for all the new and interesting developments in the cyber threat arena. Be sure to check back frequently for updates.