EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
|Threat Level:||100 % (High)|
|First Seen:||December 7, 2016|
|Last Seen:||November 17, 2022|
The GoldenEye Ransomware is an encryption Trojan that is pushed as an improved version of the Petya Ransomware, which surfaced in March 2016. The GoldenEye Ransomware was brought to the attention of security researchers in December 2016. Spam emails aimed at human resource departments were found to carry a corrupted spreadsheet that featured a macro. As you well know by now, the macro is widely abused by threat actors to deliver threats like the Al-Namrood Ransomware and the Osiris Ransomware. PC users that work with CVs on a daily basis appear to be among the primary targets of the GoldenEye Ransomware since they are likely to open a document from an unknown sender.
Table of Contents
Fake CVs and Spreadsheets Deliver the GoldenEye Ransomware to Computers
The macro script used to deliver the GoldenEye Ransomware is designed to write base64 encoded strings into an executable file that is stored in the Temp directory. Additionally, a VBA script is created that loads the executable into the system memory and the encryption process is initiated. The GoldenEye Ransomware works a bit different than the Mischa Ransomware which is another variant of the Petya Ransomware. The GoldenEye Ransomware is programmed to encrypt all files on the local drives using an AES-256 cipher. The GoldenEye Ransomware Trojan avoids directories that contain system data such as:
- Program Data
- Program Files
- Program Files (x86)
- Volume Information
A Random 8-Characters Extension is Appended to Encoded Files
For example, 'Cobalt blue.docx' is enciphered to 'Cobalt blue.docx.84YpQ8z0' while 'Ultramarine violet.docx' is converted to 'Ultramarine violet.docx.2b8r6K2g'. If the GoldenEye Ransomware manages to elevate its system privileges, it attempts to install a rootkit. The rootkit is designed to lock the access to the computer entirely by encrypting the drive's MFT (Master File Table - a kind of address book for your data). Then a custom boot loader is introduced, and YOUR_FILES_ARE_ENCRYPTED.TXT is loaded on the screen, which reads:
'You became victim of the GOLDENEYE RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page".
2. visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/ http://goldeny4vs3nyoht.onion/
3. Enter your personal decryption code there:
[instruction what field to use on the portal]'
The Best Protection against the GoldenEye Ransomware is an Asynchronous Backup Management
The GoldenEye Ransomware can lock all your data and sync your files with a cloud-based drive may backfire. A smarter solution is to backup your data manually and on a schedule as you can make sure you are not uploading corrupted files. Unfortunately, security researchers are unable to break the encryption employed by the GoldenEye Ransomware, and you will need to rely on your backups. Paying the ransom is a gamble that you might want to avoid since you are not guaranteed to receive a proper decryptor. The GoldenEye Ransomware Trojan can be purged with the help of a trusted anti-malware utility.
SpyHunter Detects & Remove GoldenEye Ransomware
File System Details
Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.