GoldenEye Ransomware

The GoldenEye Ransomware is an encryption Trojan that is pushed as an improved version of the Petya Ransomware, which surfaced in March 2016. The GoldenEye Ransomware was brought to the attention of security researchers in December 2016. Spam emails aimed at human resource departments were found to carry a corrupted spreadsheet that featured a macro. As you well know by now, the macro is widely abused by threat actors to deliver threats like the Al-Namrood Ransomware and the Osiris Ransomware. PC users that work with CVs on a daily basis appear to be among the primary targets of the GoldenEye Ransomware since they are likely to open a document from an unknown sender.

Fake CVs and Spreadsheets Deliver the GoldenEye Ransomware to Computers

The macro script used to deliver the GoldenEye Ransomware is designed to write base64 encoded strings into an executable file that is stored in the Temp directory. Additionally, a VBA script is created that loads the executable into the system memory and the encryption process is initiated. The GoldenEye Ransomware works a bit different than the Mischa Ransomware which is another variant of the Petya Ransomware. The GoldenEye Ransomware is programmed to encrypt all files on the local drives using an AES-256 cipher. The GoldenEye Ransomware Trojan avoids directories that contain system data such as:

• Windows
• Program Data
• Program Files
• Program Files (x86)
• Volume Information

A Random 8-Characters Extension is Appended to Encoded Files

For example, 'Cobalt blue.docx' is enciphered to 'Cobalt blue.docx.84YpQ8z0' while 'Ultramarine violet.docx' is converted to 'Ultramarine violet.docx.2b8r6K2g'. If the GoldenEye Ransomware manages to elevate its system privileges, it attempts to install a rootkit. The rootkit is designed to lock the access to the computer entirely by encrypting the drive's MFT (Master File Table - a kind of address book for your data). Then a custom boot loader is introduced, and YOUR_FILES_ARE_ENCRYPTED.TXT is loaded on the screen, which reads:

'You became victim of the GOLDENEYE RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page".
2. visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/ http://goldeny4vs3nyoht.onion/
3. Enter your personal decryption code there:
[instruction what field to use on the portal]'

The Best Protection against the GoldenEye Ransomware is an Asynchronous Backup Management

The GoldenEye Ransomware can lock all your data and sync your files with a cloud-based drive may backfire. A smarter solution is to backup your data manually and on a schedule as you can make sure you are not uploading corrupted files. Unfortunately, security researchers are unable to break the encryption employed by the GoldenEye Ransomware, and you will need to rely on your backups. Paying the ransom is a gamble that you might want to avoid since you are not guaranteed to receive a proper decryptor. The GoldenEye Ransomware Trojan can be purged with the help of a trusted anti-malware utility.

SpyHunter Detects & Remove GoldenEye Ransomware