Ransomware scum: 'I believe I'm a good fit. See attachments'

Criminals are posing as job applicants to drop ransomware into human resources departments.

The ransomware vector contains two attachments. One is a harmless PDF cover letter designed to convince the human resources operative that the criminal's email exchange is legitimate.

A second Excel spreadsheet attachment contains the ransomware payload – a variant of Petya which Check Point researchers designated GoldenEye.

Staff are requested to enable macros – an ancient but sadly effective means of Windows box popping, according to Microsoft – which allows the ransomware to begin encrypting the local drive.

A false loading screen buys GoldenEye time to encrypt. Once the effort is complete, a note demands payment of 1.3 bitcoins (currently US$1,466) for the provision of the decryption key.

German organisations are being targeted, according to the Check Point researchers who discovered the threat.

"If the campaign sounds familiar, it is probably because it was used in the past by the Cerber ransomware," researchers say. "As both Petya/GoldenEye and Cerber act as ransomware-as-a-service, it is very likely that there is one threat actor leveraging the German CV campaign to send both malware types to their victims."

Enterprises have become a more attractive target for ransomware scum, since consumer webmail providers like Google and Microsoft tweaked spam filters to filter out much of the inbound menace.

Recorded Future threat analyst Allan Liska says company spam filters are typically poor performers, making corporations a remaining watering hole through which their threats stand a chance of executing.

"Right now, spam campaigns are losing the battle against consumer webmail providers like Yahoo!, Microsoft, and Google," Liska says. "These services have gotten very good at quickly identifying new ransomware campaigns and sending the offending emails to the junk folder.

"This, at least partially, contributed to the rise of ransomware in the enterprise in 2016 – the spam filtering systems in many organisations are less effective, or non-existent, than those of the consumer webmail providers, which is one of the reasons why the attackers behind ransomware have focused on corporate targets."

Only the most well-implemented ransomware forms stand the test of time. White hat security researchers have spent considerable effort breaking the security controls behind scores of ransomware variants in a hugely successful bid to provide victims with free decryption keys.

Much of the work is now formalised into the No More Ransom initiative, which unifies a formerly scattered and siloed, but furious effort by malware researchers to lay waste to scores of ransomware variants.

Some 6,000 users had as of December been liberated from ransomware infection without the need to pay ransoms, thanks to the white hats' work. ®