GoldenEye/PetyaWrap is a ransomware part of a world-wide outbreak and cyber crime campaign
Clavister, via its strategic partner Bitdefender, has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no confirmed information about propagation vector but we presume it to be carried by a wormable component.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and anotherone that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.
Just like Petya, GoldenEye, or as some calls it, PetyaWrap, encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
The Clavister Endpoint Security Client blocks the currently known samples of the new GoldenEye variant.
The GoldenEye/PetyaWrap ransomware outbreak that started to unfold on June 27, 2017 encrypts files on your harddrive and crashes the computer, which becomes locked upon reboot and until payment is made.
During the initial phase of the outbreak Ukraine seemed to be the main target, with the organization managing the zone of the Chernobyl disaster fallout said it had to switch radiation monitoring services on industrial sites to manual as they had to shut all Windows computers down.
The outbreak is spreading fast and large corporations such as Maersk, UK lawfirm DLA Piper, airports, power grids, bus stations, gas stations and many more have been confirmed infected.
This strain of ransomware seems to be based on Petya and utilize similar exploits as used by the Wannacry ransomware, including the EternalBlue and ExternalRomance exploits which originated from weaponized cyber tools developed by NSA and leaked by a hacker group called shadowbrokers. The infection vector also includes an attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
The campaign seems to target utility companies in the Ukraine but is spreading fast across the globe and is likely to affect the entire world, perhaps with the same magnitude as Wannacry did.
GoldenEye, or PetyaWrap as some researchers are calling it, is a highly potent and dangerous ransomware using multiple techniques for spreading between computers.
This ransomware utilize some of the same vulnerabilities and exploits as WCry but some reports states that it uses modified versions of EnternalBlue and ExternalRomance which exploits a vulnerability in Windows 2008 systems over TCP port 445. Furthermore it uses WMI or PSEXEC to spread within local area networks, hence why it has been noticed that also patched versions of Microsoft Windows 10 has been affected.
Unlike WCry, GoldenEye/PetyaWrap does not have a global killswitch that turns off all active spreading of the malware. This will likely result in it getting more widespread than its predecessor.
Already after a few hours in the wild, tens of thousands of systems have been attacked. It is our belief that this will grow rapidly and continue to evolve over the comming weeks. Especially unmanned stations such as control systems in industries and critical infrastructure, ATM machines, traffic control systems and similar will be affected in large scales.
UK Based research firm PT Security and other sources reports that they have found a possible local killswitch, or antidote. By creating a file named "C:\Windows\perfc" on your local computer you might be able to avoid infection.
Unconfirmed reports also mentions that the ransomware is spreading both using emails with infected excel files and the SMB protocol.
Analysts from multiple companies has also made the conclusion that it use the PSExec command-line tool. The precise relationship among the various infection methods isn't yet clear.
Once the ransomware has infected its host computer it will download two different payloads, one which encrypts the files and another that steals credentials from the computers (usernames and passwords).
The unique combination of multiple infection vectors, the fact that it encrypts files, locks the computers and steals credentials makes this malware among the most complex and dangeours ever seen in the wild.
Click here to see a video clip of this malware in action.