Clavister blocks GoldenEye/PetyaWrap

GoldenEye/PetyaWrap is a ransomware part of a world-wide outbreak and cyber crime campaign

Clavister protects against GoldenEye/PetyaWrap, a ransomware targeting critical infrastructure

Clavister, via its strategic partner Bitdefender, has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no confirmed information about propagation vector but we presume it to be carried by a wormable component.

Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and anotherone that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.

Just like Petya, GoldenEye, or as some calls it, PetyaWrap, encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.

The Clavister Endpoint Security Client blocks the currently known samples of the new GoldenEye variant.

About GoldenEye/PetyaWrap

The GoldenEye/PetyaWrap ransomware outbreak that started to unfold on June 27, 2017 encrypts files on your harddrive and crashes the computer, which becomes locked upon reboot and until payment is made.

During the initial phase of the outbreak Ukraine seemed to be the main target, with the organization managing the zone of the Chernobyl disaster fallout said it had to switch radiation monitoring services on industrial sites to manual as they had to shut all Windows computers down.

The outbreak is spreading fast and large corporations such as Maersk, UK lawfirm DLA Piper, airports, power grids, bus stations, gas stations and many more have been confirmed infected.

This strain of ransomware seems to be based on Petya and utilize similar exploits as used by the Wannacry ransomware, including the EternalBlue and ExternalRomance exploits which originated from weaponized cyber tools developed by NSA and leaked by a hacker group called shadowbrokers. The infection vector also includes an attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

The campaign seems to target utility companies in the Ukraine but is spreading fast across the globe and is likely to affect the entire world, perhaps with the same magnitude as Wannacry did.

Possibly the most dangerous malware ever seen in the wild

GoldenEye, or PetyaWrap as some researchers are calling it, is a highly potent and dangerous ransomware using multiple techniques for spreading between computers.

This ransomware utilize some of the same vulnerabilities and exploits as WCry but some reports states that it uses modified versions of EnternalBlue and ExternalRomance which exploits a vulnerability in Windows 2008 systems over TCP port 445. Furthermore it uses WMI or PSEXEC to spread within local area networks, hence why it has been noticed that also patched versions of Microsoft Windows 10 has been affected.

No Global Killswitch, but possibly a local one

Unlike WCry, GoldenEye/PetyaWrap does not have a global killswitch that turns off all active spreading of the malware. This will likely result in it getting more widespread than its predecessor.

Already after a few hours in the wild, tens of thousands of systems have been attacked. It is our belief that this will grow rapidly and continue to evolve over the comming weeks. Especially unmanned stations such as control systems in industries and critical infrastructure, ATM machines, traffic control systems and similar will be affected in large scales. 

UK Based research firm PT Security and other sources reports that they have found a possible local killswitch, or antidote. By creating a file named "C:\Windows\perfc" on your local computer you might be able to avoid infection. 


Multiple Infection Vectors

Unconfirmed reports also mentions that the ransomware is spreading both using emails with infected excel files and the SMB protocol.

Analysts from multiple companies has also made the conclusion that it use the PSExec command-line tool. The precise relationship among the various infection methods isn't yet clear.

Encrypts, Locks and Steals Passwords

Once the ransomware has infected its host computer it will download two different payloads, one which encrypts the files and another that steals credentials from the computers (usernames and passwords).

Unique Combination, Possibly the Worst Ever Seen

The unique combination of multiple infection vectors, the fact that it encrypts files, locks the computers and steals credentials makes this malware among the most complex and dangeours ever seen in the wild.

GoldenEye / PetyaWrap in Action

Click here to see a video clip of this malware in action.

How to protect yourself

  1. Disconnect infected computers
    Disconnect infected computers to avoid further damage to your network and data.

  2. Patch and upgrade
    Update your computers with the latest patches from Microsoft. It is cruical to apply the MS17-010 bulletine immediately.

  3. Disable the Server Message Block (SMB) service
    If your computer does not have an available patch, disable the SMB Service to avoid spreading the malware any further.

  4. Back up your data on offline hard drives.
    The malware encrypts files on external drives such as a USB drives, as well as any network or cloud file stores.

  5. Endpoint Security
    Ensure your are using proper Endpoint Security products.
    We recommend using the  Clavister Endpoint Security Client (ESC) which blocks against the currently known strains involed in this outbreak.

  6. Network Security
    1. Network Based Antivirus
      Enable the Antivirus feature on your Clavister Next Generation Firewall and ensure that you are using the latest signature database.

    2. Intrustion Detection and Prevention
      Enable the Intrusion Detection and Prevention feature on your Clavister Next Generation Firewall and ensure that you are using the latest signature database.

    3. Network Segmentation / Firewall Policies
      Ensure that you have proper firewalling policies on your Clavister Next Generation Firewall to minimize risk of remote infections and lateral movement / spreading between network segments.