HR Departments Targeted with Ransomware in Job Applications

Is your organization actively recruiting new employees? If so, alert your HR department about the latest ransomware campaign to hit the streets.

GoldenEye – the new ransomware flavor of the month – is strikingly similar to the traditional variants, but the deliver method has some added twists and turns.

HR Department Targeted

Cyber criminals distributing the GoldenEye ransomware are taking advantage of an HR professional’s tendency to respond to emails from complete strangers.

HR professionals usually have access to a treasure trove of personal and sensitive information, making them ideal targets for ransomware. If they lose access to that information, the company is more likely to pay the ransom demand to reclaim their data.

The GoldenEye ransomware attack takes on a job application theme. Attackers use phishing tactics to send fake emails claiming to be from potential job applicants. The attack starts when someone in the HR department gets an email from a ‘job applicant’ with their cover letter and application attached.

Probably to serve as a decoy, the cover letter is simply a PDF with no malicious content. The other document attached is a malicious Excel file with infected macros – usually with key words like ‘application’ or ‘candidate.’ Once opened, the malicious file appears to be loading and prompts the victim to click “Enable Content” to run the macros and start the encryption process.

After the ransomware is finished encrypting, victims are presented with the typical ransomware screen demanding a ransom in exchange for the decryption key. This particular ransom demand is 1.3 bitcoin.

Best Practices

This is a clever attack method, due to the nature of an HR professional’s job. It’s not uncommon to receive and respond to emails from strangers looking to apply for a job or sending in their resume.

The best bet here is to keep macros disabled on all Microsoft Office documents. Keep reiterating to your workforce the importance of never enabling macros. Workforce awareness and training is key to thwarting these types of attacks. And, as always, employees need to be suspicious of any email that comes from an unknown or unexpected source.