Petya Ransomware could return as Golden Eye

Khushaar Tanveer avatar. By: Khushaar Tanveer
3 minute read
protect pc from ransomware

Home » News » Petya Ransomware could return as Golden Eye

The Petya-Mischa ransomware has made a comeback with a revamped version. It is solely based on the previous product but it uses a brand new name – Golden Eye.

Like a typical ransomware, the new variant Golden Eye has been set loose to hijack innocent victim’s computers and urge them to pay up. Its malicious tricks are found to be almost identical to previous Petya-Mischa versions.

Most users are cautious as well as confident that they would hardly ever fall for a trap set by malware attackers. But it is only a matter of time until we hit a bump, a minor bump that could lead to a breach in security. It is then, all the small suspicious signs become obvious but till then the damage has already been done.

So, the science of earning the trust of users by manipulative and premeditated lies is called Social Engineering. It is this approach that has been used by cyber criminals for many years for spreading ransomware. And is the same one that the ransomware Golden Eye has deployed.

How does Golden Eye work?

There are reports that the malware is received,  disguised as a job application. It sits in the spam folder of a user’s email accounts.

The email is titled ‘Bewerbung’ that means ‘application’. It comes with two attachments which contain attachments purporting to be files, important to the message. A PDF file – that appears to be a genuine looking resume. And an XLS (Excel spreadsheet) – this is where the ransomware’s modus operandi kicks in.

On the second page of the mail, there is a photograph of the asserted applicant. It ends with polite instructions about the excel file, stating that it contains significant material regarding the job application. No explicit demand, just a suggestion in the most natural way possible, keeping it as formal as a regular job application.

If the victim falls for the deception and presses the “Enable Content” button in the excel file, a macro is triggered. After successfully launching, it saves the embedded base64 strings into an executable file in the temp folder. When the file is created, a VBA script runs and it elicits the encryption process.

Dissimilarities with Petya Mischa:

The encryption process of Golden Eye is a little different from Petya-Misha’s one. Golden Eye encrypts the computer’s files first and then tries installing the MBR (Master Boot Record). It then appends a random 8-character extension on each file it targets. After that it modifies the boot process of the system, rendering the computer useless by restricting user access.

It then shows a threatening ransom note and forcibly reboots the system. A fake CHKDSK screen pops-up that acts like it is repairing some issues with your hard drive.

Then a skull and a cross bone flash on the screen, made by dramatic ASCII art. To make sure you don’t miss it, it asks you to press a key. Then you are given explicit instructions on how to pay the demanded sum.

To recover the files you would need to enter your personal key to a portal provided. To access it you will have to pay 1.33284506 bitcoins, equal to $1019.

What’s unfortunate is, there is yet no tool released for this ransomware that could decrypt its encryption algorithm.


Next up

Windows was unable to install your Broadcom USH [PRO TIPS]

Sovan Mandal avatar. By: Sovan Mandal
3 minute read

Broadcom USH which stands for Unified Security Hub is relevant for those devices that come with an integrated fingerprint reader. That also makes it extremely […]

Continue Reading

Microsoft redesigns how Chinese and Japanese IMEs work with apps

Rabia Noureen avatar. By: Rabia Noureen
2 minute read

Microsoft released new Japanese and Chinese IMEs to Windows Insiders that are currently enrolled in the Fast Ring. These changes were introduced with the  Windows […]

Continue Reading

Fix Windows 10 file size incorrect like a PRO

Matthew Adams By: Matthew Adams
3 minute read

Some users have been a little baffled by properties windows showing them wrong calculation of file and folder size. File Explorer shows some users that […]

Continue Reading