A massive attack, triggered by a version of the GoldenEye or Petya ransomware is currently claiming victims around the world. Unlike other families of ransomware, #GoldenEye does not encrypt individual files, but rather the entire hard disk drive. It then reboots it to prevent the user from accessing that information. When the encryption process is complete, #GoldenEye forcefully crashes the computer and asks for $300 as ransom.
What is unique about #GoldenEye is that unlike other ransomware, this variant has two layers of encryption: once that encrypts files on the computer and another one that encrypts NTFS filesystems. This approach prevents victim computers from being booted up into Windows.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
According to BitDefender Labs, some infections with GoldenEye/Petya have been triggered by a compromised update of the MeDOC accounting software. It was first intercepted by their customers in Ukraine, therefore confirming the MeDOC update as the infection vector. This makes Ukraine "patient zero" from where the infection spread across networks to headquarters and/or satellite offices.
"Our initial investigation reveals that it spreads automatically from one computer to another using multiple vulnerabilities in the operating system, including the EternalBlue exploit that grabbed the headlines during the #WannaCry attack.", stated BitDefender.
BitDefender Labs also noted that "Several critical infrastructure institutions in Ukraine have already been taken offline." and "We strongly advise all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches."
It is probably obvious, but everyone is at risk. Even if you are on the latest operating system with the latest Antivirus detection, it is important for all end users to be aware and avoid clicking on files in suspicious emails. It has been confirmed that several companies so far have fallen victim to the #GoldenEye/#Petya ransomware.
Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.
The email address used to get payment confirmation for the ransom has been suspected by Posteo. This means that all payments will be unable to get validated, and therefore will not receive the decryption key. As a result, do not pay the ransom. You'll lose your data anyway, but will also contribute to fund these cyber terrorists for further development of malware.
Our managed services suite includes BitDefender for its endpoint security, who released a statement confirming that Bitdefender blocks the currently known samples of the new #GoldenEye variant and "If you are running a Bitdefender security solution for consumer or business, your computers are not in danger".