Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in particular industries, a ransomware attack is considered a data breach.
Sophos recently discovered a new strain of ransomware, it is called GoldenEye Ransomware and encrypts workstations TWICE! Both the files and the Master File Table (MFT).
It is a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are important files on the local hard disk without a backup, you potentially get to pay ransom TWICE.
The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a nice reference that the Excel file contains more details – no specific demand to open up the file just business as usual.
Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: “The crooks don’t openly ask you to do anything obviously risky, such “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.
In fact, if you permit macros to run in this Excel file, you will quickly regret it: the VBA downloads a copy of the Goldeneye ransomware and immediately launches it.” The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them.
Once the Excel file is activated, all the malicious activity happens in the background, but when the encryption pass is done, there’s a whole bunch of files left behind called: YOUR_FILES_ARE_ENCRYPTED.TXT which announce the infection:
Most strains of file-encrypting ransomware stop here, but Goldeneye’s developer has experience in this field and makes a double-whammy attack similar to their Petya / Misha strain and encrypts the Master File Table (MFT) of that machine as well.
Goldeneye works a bit different than the previous editions: it first encrypts the files, then performs the UAC bypass and the low-level MFT attack, then reboots and pretends to do a CheckDisk.
Once the “check” is finished, another reboot sounds the alarm with some dramatic ASCII art:
Pressing the Any Key gives you this:
In case you are wondering why the personal decryption code was redacted in the images above, the encryption is different for your files and your MFT (Master File Table): the malware uses different algorithms and different keys each time.
In short, if you pay up to unlock your scrambled MFT so you can reboot into Windows, then, assuming the crooks send you the key, you’ll get back into Windows only to face the YOUR_FILES_ARE_ENCRYPTED.TXT pay page as well. If you do not have any backup, you get to pay up 1.4 Bitcoins all over again. That’s 2.8 total per infected machine which starts to get very expensive. BitCoin price as of December is about $780USD per BitCoin, 2.8 BitCoins would set you back about $2,200 per infected machine.