“HR-Engineering”: Petya is looking for a job

The threat from ransomware to our digital lives should be clear for everyone. Many organizations (security industry, governments …) have been impacted by this threat and are working hard to defend  the social world against further infections. You all are doing a great job!

For now, I don’t want go too much into the technical details of the new “green” Petya ransomware since there is already great analysis available. All these findings are helpful and welcome since they push us forward in this ongoing war to protect our customers.

But, technical innovations will never fully protect against the mistakes made by human beings. We have learnt a lot from ransomware, and subsequently, the criminals have learnt from our improvements against them. The methods of these criminals are getting more and more complex where we as simple human beings are simply not able to realize if, for example,  an email we receive is genuine or not.

For example, look at this email and tell us if you think it’s real:

petya2

I think only a very few people, especially those working in the human resources department, would believe that there is ransomware lurking behind this job application.

The criminals are also doing their homework when it comes to how they distribute the malicious program.

Petya is an especially great example. While other ransomware types are still using malicious attachments (documents, javascripts…) in their spearphising emails, Petya is an innovator and has started using several cloud service providers such as Dropbox, CloudMagneta and Jottacloud: petya3

It’s an interesting observation about Petya that the criminals behind it know a potentially huge number of job applications are transmitted to companies in this way. They are looking for weak points within organizations that that can be exploited in order to infect machines, and this time they have found it in the HR department.

The purpose of these cloud service providers is that everybody can use them! Unfortunately, criminals can also use them for their own business. Maybe these cloud providers should start thinking about better security measurements during their user registration processes.

Looking back to the previous ransomware attacks based on unpaid receipts (financial departments) and now those with job applications (HR departments), it is clear that criminals are trying to enter companies from their  “weak computer knowledge” departments. It is also clear that companies with these departments will be more ready to pay a lot more than the average user. Organizations have a lot more to lose following a successful attack to their whole system.

Therefore, be very careful with every emails, even those which look like a regular job application. Especially if you are working in the human resource department of a company.

 

This post is also available in: German

Team Leader Virus Lab Disinfection Service