Petya Ransomware could return as Golden Eye

3 minute read
protect pc from ransomware

Home » News » Petya Ransomware could return as Golden Eye

The Petya-Mischa ransomware has made a comeback with a revamped version. It is solely based on the previous product but it uses a brand new name – Golden Eye.

Like a typical ransomware, the new variant Golden Eye has been set loose to hijack innocent victim’s computers and urge them to pay up. Its malicious tricks are found to be almost identical to previous Petya-Mischa versions.

Most users are cautious as well as confident that they would hardly ever fall for a trap set by malware attackers. But it is only a matter of time until we hit a bump, a minor bump that could lead to a breach in security. It is then, all the small suspicious signs become obvious but till then the damage has already been done.

So, the science of earning the trust of users by manipulative and premeditated lies is called Social Engineering. It is this approach that has been used by cyber criminals for many years for spreading ransomware. And is the same one that the ransomware Golden Eye has deployed.

How does Golden Eye work?

There are reports that the malware is received,  disguised as a job application. It sits in the spam folder of a user’s email accounts.

The email is titled ‘Bewerbung’ that means ‘application’. It comes with two attachments which contain attachments purporting to be files, important to the message. A PDF file – that appears to be a genuine looking resume. And an XLS (Excel spreadsheet) – this is where the ransomware’s modus operandi kicks in.

On the second page of the mail, there is a photograph of the asserted applicant. It ends with polite instructions about the excel file, stating that it contains significant material regarding the job application. No explicit demand, just a suggestion in the most natural way possible, keeping it as formal as a regular job application.

If the victim falls for the deception and presses the “Enable Content” button in the excel file, a macro is triggered. After successfully launching, it saves the embedded base64 strings into an executable file in the temp folder. When the file is created, a VBA script runs and it elicits the encryption process.

Dissimilarities with Petya Mischa:

The encryption process of Golden Eye is a little different from Petya-Misha’s one. Golden Eye encrypts the computer’s files first and then tries installing the MBR (Master Boot Record). It then appends a random 8-character extension on each file it targets. After that it modifies the boot process of the system, rendering the computer useless by restricting user access.

It then shows a threatening ransom note and forcibly reboots the system. A fake CHKDSK screen pops-up that acts like it is repairing some issues with your hard drive.

Then a skull and a cross bone flash on the screen, made by dramatic ASCII art. To make sure you don’t miss it, it asks you to press a key. Then you are given explicit instructions on how to pay the demanded sum.

To recover the files you would need to enter your personal key to a portal provided. To access it you will have to pay 1.33284506 bitcoins, equal to $1019.

What’s unfortunate is, there is yet no tool released for this ransomware that could decrypt its encryption algorithm.


Next up

FIX: Outlook 2016 does not support setup for Exchange accounts

Tashreef Shareef avatar. By: Tashreef Shareef
2 minute read

Microsoft Outlook 2016 does not support manual setup for an Exchange account directly from the add accounts interface. The add account now has only two […]

Continue Reading

Xbox Live won’t work on child account? Here are the 2 ways fix it

Tashreef Shareef avatar. By: Tashreef Shareef
2 minute read

To prevent fraud and protect children from the online threat Xbox allows the parents to create Child account with restrictions. However, the parents can share […]

Continue Reading

Microsoft contractors might also listen to Xbox One commands

Vlad Turiceanu By: Vlad Turiceanu
2 minute read

Recently, it has been revealed that Microsoft contractors are listening to users through Cortana and Skype Translator. This piece of information created a lot of […]

Continue Reading