Goldeneye ransomware: the resumé that scrambles your computer twice

Thanks to Dorka Palotay of SophosLabs for her behind-the-scenes work on this article.

Hindsight is a wonderful thing.

With hindsight, few of us would ever fall victim to ransomware: most ransomware attacks rely on talking us past at least one security speed bump…

…and those speed bumps sometimes seem very obvious after the event.

Nevertheless, even the most careful and self-confident of us – and all of us who haven’t been hit by ransomware – need to admit that there are times when we’ve behaved online in a way that ended well, but more by accident than by design.

In other words, we’ve all opened emails and attachments that turned out to be unwanted but didn’t lead to malware, only to wonder afterwards quite what it was about the email or the document that made us trust it.

Winning your trust with a pack of believable lies, especially technical lies, is known as social engineering, and that’s how most ransomware works its way in.

A recent spam campaign in Germany shows up the sort of techniques that cybercriminals think up: this one introduced a new strain of ransomware calling itself Goldeneye, arriving with not one but two attachments, a PDF file and an XLS (Excel spreadsheet):

Even incautious users are worried about unexpected Excel files these days, which is presumably why these crooks included an unsuspicious, uninfected PDF file containing a polite job application (the word Bewerbung in the email subject means application), just to get the ball rolling:

(We’ve redacted the details, because we assume that the crooks have stolen a real CV for verisimilitude, and we don’t want to name and shame the person whose personal information appears in the document.)

The second page includes a photograph of the alleged applicant, and the last page very politely points out that the Excel file contains the very details you might reasonably expect in a job application:

There’s no explicit demand to open the file, just an implicit suggestion that opening it, as any diligent HR person might do, will work out fine,

Simply put, the crooks are trying to make the email look like “business as usual”.

Even if you aren’t hiring right now, your company may be one of many that keeps the CVs of suitable applicants on file, so checking out their documents is not abnormal, and usually doesn’t lead to malware.

What next?

When you open the Exel file, you don’t see any personal information, but you do get a suggestion on how to bring up the claimed aptitude test information:

The crooks don’t openly ask you to do anything obviously risky, such “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

The VBA programming language used in Office macros is a powerful system that not only allows a crook to control Word or Excel programmatically, but also to perform more general actions such as downloading an EXE file (Windows program) from the web, or saving data stored inside the Office file to disk as a program, and running it.

In other words, Office macros are potentially as dangerous as full-blown Windows executable files, so reducing security on the say-so of a spreadsheet like this one is a risky thing to do.

In fact, if you permit macros to run in this Excel file, you will quickly regret it: the VBA writes an embedded copy of the Goldeneye ransomware to disk and launches it.

You won’t see anything at first, but the malware soon starts encrypting the data files on your hard disk, leaving behind a series of files called YOUR_FILES_ARE_ENCRYPTED.TXT that tell you the bad news:

Most file-scrambling ransomware stops there, but Goldeneye goes into bat a second time, running a modified version of the Petya ransomware to encrypt the Master File Table (MFT) of your hard disk as well.

The MFT is the part of your disk that keeps track of which sectors belong to which files, making it vital to your hard disk:

Without the MFT, your disk is like a whole library of books torn into a heap of individual pages and then thoroughly shuffled: the raw data is there, somewhere, but stitching it back together is so difficult as to be almost impossible.

Like Petya, Goldeneye reboots and pretend to be doing a disk check:

Once the “check” is finished, another reboot sounds the alarm with some dramatic ASCII art:

The skull flashes yellow and black to make sure you can’t miss it; when you press a key, you see a note almost identical to the abovementioned YOUR_FILES_ARE_ENCRYPTED.TXT:

In case you’re wondering, given that we redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.

In short, if you pay up to unlock your scrambled MFT so you can reboot into Windows, then, assuming the crooks actually send you the key…

…you’ll get back into Windows only to face the YOUR_FILES_ARE_ENCRYPTED.TXT pay page as well.

If you don’t have any backup, you get to pay up all over again.

Note. Sophos products block this malware as follows: Troj/DocDrop-PX, -QA and -QC (booby-trapped XLS files); Troj/Petya-AD, -AF and -AG (downloaded Goldeneye executables).

What to do?

When we checked, the crooks were demanding a fairly steep ransom of close to 1.4 Bitcoins ($1000) on each pay page, so a double-whammy Goldeneye attack could cost you $2000, and that’s if the crooks come through with the decryption keys:

As always, the best defence is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:

You might also enjoy our Techknow podcast Dealing with Ransomware:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)