Petya Ransomware could return as Golden Eye

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure
protect pc from ransomware

The Petya-Mischa ransomware has made a comeback with a revamped version. It is solely based on the previous product but it uses a brand new name – Golden Eye.

Like a typical ransomware, the new variant Golden Eye has been set loose to hijack innocent victim’s computers and urge them to pay up. Its malicious tricks are found to be almost identical to previous Petya-Mischa versions.

Most users are cautious as well as confident that they would hardly ever fall for a trap set by malware attackers. But it is only a matter of time until we hit a bump, a minor bump that could lead to a breach in security. It is then, all the small suspicious signs become obvious but till then the damage has already been done.

So, the science of earning the trust of users by manipulative and premeditated lies is called Social Engineering. It is this approach that has been used by cyber criminals for many years for spreading ransomware. And is the same one that the ransomware Golden Eye has deployed.

How does Golden Eye work?

There are reports that the malware is received,  disguised as a job application. It sits in the spam folder of a user’s email accounts.

The email is titled ‘Bewerbung’ that means ‘application’. It comes with two attachments which contain attachments purporting to be files, important to the message. A PDF file – that appears to be a genuine looking resume. And an XLS (Excel spreadsheet) – this is where the ransomware’s modus operandi kicks in.

On the second page of the mail, there is a photograph of the asserted applicant. It ends with polite instructions about the excel file, stating that it contains significant material regarding the job application. No explicit demand, just a suggestion in the most natural way possible, keeping it as formal as a regular job application.

If the victim falls for the deception and presses the “Enable Content” button in the excel file, a macro is triggered. After successfully launching, it saves the embedded base64 strings into an executable file in the temp folder. When the file is created, a VBA script runs and it elicits the encryption process.

Dissimilarities with Petya Mischa:

The encryption process of Golden Eye is a little different from Petya-Misha’s one. Golden Eye encrypts the computer’s files first and then tries installing the MBR (Master Boot Record). It then appends a random 8-character extension on each file it targets. After that it modifies the boot process of the system, rendering the computer useless by restricting user access.

It then shows a threatening ransom note and forcibly reboots the system. A fake CHKDSK screen pops-up that acts like it is repairing some issues with your hard drive.

Then a skull and a cross bone flash on the screen, made by dramatic ASCII art. To make sure you don’t miss it, it asks you to press a key. Then you are given explicit instructions on how to pay the demanded sum.

To recover the files you would need to enter your personal key to a portal provided. To access it you will have to pay 1.33284506 bitcoins, equal to $1019.

What’s unfortunate is, there is yet no tool released for this ransomware that could decrypt its encryption algorithm.

This article covers:Topics: