GoldenEye: What we know so far about WannaCry’s deadly sibling

We told you WannaCry wasn’t dead and that something nasty was coming. But whether that something is nastier and more dangerous, remains to be seen.

All across the world yesterday a dangerous new ransomware cyber attack – dubbed GoldenEye – began to spread, appearing to strike first in the Ukraine and then Russia before spreading to the rest of Europe and beyond. Russia’s top oil producer Roseneft and several banks in the country were hit. Ukraine’s central bank and metro system were hit as were Kiev’s Boryspil Airport and electricity supplier Ukrenergo.

‘This is a great example of two malware components coming together to generate more pernicious and resilient malware’

The virus then spread to Denmark, Norway and the Netherlands, via shipping giant Maersk’s Russian subsidiaries. It hit ad agency WPP in London, French construction company Saint Gobain and Spanish food giant Mondelez.

The attack has even forced the Chernobyl nuclear plant to check radiation levels manually after Windows-based systems were shut down.

In Ireland there have been reports that the virus has been detected in local operations of international pharma companies and some users have claimed to have had $ 300 in bitcoin demanded in return for access to their systems.

The attack has also spread to the Asia-Pacific region, including India’s largest shipping container port.

It has been given different names such as GoldenEye, Petya and NotPetya, and has so far hit 2,000 high-profile targets, including pharmaceutical giant Merck. For the sake of clarity we’ll call it GoldenEye.

So what is GoldenEye?

First off, WannaCry lives

Last month WannaCry hit over 300,000 systems across the planet with ransomware, knocking critical systems from organisations like the NHS offline. Attacking older Windows systems its spread was calmed by a critical patch update from Microsoft. WannaCry is still in the wild and last week infected the systems of Japanese car manufacturer Honda, halting production, as well as infecting 55 Australian traffic light cameras.

GoldenEye is definitely a sibling of sorts to WannaCry

Kaspersky Labs researcher Costin Raiu yesterday identified the malware as Petrwrap, a strain of the Petya ransomware investigated by the firm in June. However, Kaspsersky later clarified GoldenEye to be an entirely new strain of ransomware, which it dubbed ‘NotPetya’.

According to reports the new ransomware employs the same EternalBlue exploit used by WannaCry to spread quickly between systems. EternalBlue, which was published by the Shadow Brokers in April, targets Windows SMB file-sharing systems and is believed to be a cyber weapon stolen from the NSA’s arsenal. In other words, the virus attacks wreaking havock on systems, including US corporates, were created using US taxpayers’ money.

No kill switch as been found

Unlike WannaCry where a kill switch of sorts was discovered by security researchers within 24 hours by adjusting the ransomware’s code, no such killswitch as been found (at the time of writing). GoldenEye apparently uses two layers of encryption to frustrate efforts by researchers to stop it in its tracks.

Not only have those behind GoldenEye been more careful with the code, the nature of the attacks are precise in nature, with 2,000 infections hitting major companies rather than the hundreds of thousands in the scattergun attack by WannaCry.

It wants money

Yes, there are hackers behind this attack and they want users to pay a ransom in return for access to their systems and data. According to Reuters at least 30 victims have paid into the bitcoin account associated with the attack. The US Department of Homeland Security has urged users not to pay the ransoms because doing so would be no guarantee that access would be restored.

The hackers haven’t made it easy for themselves to get the money. The payment mechanism apparently relies on manual payment validation so that when victims pay the ransom they must email proof of payment to an email address in return for a decryption key.

However, the hackers’ email provider Posteo has pulled the plug on the account, making payment confirmation impossible.

There are various theories on who is behind the attack

No one knows for sure who is behind the attack, whether it is a hacker collective acting independently or whether there are governments supporting the attackers. Allegations that Shadow Brokers is backed by the Russian government and that North Korea was behind WannaCry have been denied by both countries.

“This malware appears to have been targeted at Ukrainian infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine boarders,” said Phil Richards, CISO at Ivanti.

“The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software.

“This is a great example of two malware components coming together to generate more pernicious and resilient malware.”

“Cybersecurity experts believe the current attack may be based on last month’s WannaCry attack,” said Simon Taylor, vice-president of Products at Glasswall.

“Whatever name they give it, they cannot protect some of the world’s largest businesses and organisations. Most attacks now begin with malicious code hidden in an email attachment, which is installed when employees are tricked into clicking on it via social engineering. Secreting code in the structure of common file types such as Word documents, Excel spreadsheets, PowerPoint files and PDFS is the most common method criminals now use.

“Because antivirus defences are no longer any use against these attacks, organisations must start to rely on more innovative email security techniques. Until then, these types of attacks will continue to be commonplace.”

In conclusion, we can expect these kind of ransomware attacks, mutants of WannaCry, to continue as hackers either get creative and cause turmoil for the lols, or something more sinister is at play. Welcome to the deadly new age of ransomware.

The post GoldenEye: What we know so far about WannaCry’s deadly sibling appeared first on Silicon Republic.

Silicon RepublicSilicon Republic