Anti-Malware Research

Massive GoldenEye Ransomware Campaign Slams worldwide users

Several critical infrastructure institutions in Ukraine have already been taken offline

 

Update 6/28 16.30 GMT+3

Our internal telemetry shows that some infections with #GoldenEye have been triggered by the compromised update of the MeDOC accounting software. A number of our customers in Ukraine where our solutions intercepted the attack clearly show explorer.exe starting up ezvit.exe (the accounting app binary) which in turn execute rundll32.exe with the ransomware’s DLL as parameter.

Bottom line, we can confirm the MeDOC update as an infection vector. This makes Ukraine “patient zero” from where the infection spread across VPN networks to headquarters or satellite offices.

We strongly advise all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.

In addition to the MeDOC update, there are some other infection vectors that we are investigating as we write these lines.

Update 6/28 08.00 GMT+3

There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction.

  • The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
  • The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
  • There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.

Update 6/28 06.00 GMT+3

The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made overnight will be unable to get validated, and therefore will surely not receive the decryption key. Not that we have ever advised otherwise, but if you’re planning to pay the ransom, stop now. You’ll lose your data anyway, but you’ll contribute in funding the development of new malware. Even so, there have been 15 payments made after the suspension of the e-mail address. The wallet now totals 3.64053686 BTC out of 40 payments, with a net worth of $US 9,000.

Update 21.30 GMT+3

Several voices in the industry have speculated that the initial attack vector was a compromised update of the M.E. Doc accounting software utility that all breached companies were using. We have confirmed breaches in companies that did not use the respective software solution. Also, in a Facebook post on the company’s page, the vendor  denies the allegations [Ukrainian].

Update 20.18 GMT+3

Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.

Update 18.45 GMT+3

GoldenEye /Petya operators have already received 13 payments in almost two hours. That is $3.5K USD worth in digital currency.

Update 18.30 GMT+3

Bitdefender Labs confirms that the GoldenEye / Petya ransomware leverages the EternalBlue exploit to spread from one computer to another. Additional exploits are also used to propagate. Details coming soon.

Original story:

Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component.

Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.

Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.

Bitdefender blocks the currently known samples of the new GoldenEye variant. If you are running a Bitdefender security solution for consumer or business, your computers are not in danger.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

17 Comments

Click here to post a comment
  • Per https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ BitDefender is NOT one of the 15 antivirus solutions that detects the June 27 2017 reported Petya Goldeneye ransomware files!

    • "At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being…" – more info here: https://www.virustotal.com/ro/faq/

      • Thank you for your thoughtful reply, Bogdan!

        I am familiar with the Virus Total proviso that you quote. Among other factors, the referenced passage emphasizes that security software effectiveness involves much more than just mere signature detection — I get that. Even so, I'm sure you'll agree that signature detection is an extremely important component in software designed to prevent infection.

        I shared Virus Total's report, not as a comparative analysis (i.e.: trying to determine whether one antivirus product is "better" than another), but rather as a means of raising the alarm that one seemingly-knowledgeable organization found that Bitdefender was one of several vendors whose virus scanners did not detect a pathogen that was claimed to exist in a single sample file that Virus Total claimed contained the latest form of the GoldenEye ransomware outbreak.

        As Bitdefender customer of 2 years (Bitdefender box) who only just recently purchased and installed Bitdefender software on my client computers, I grow concerned when my security software provider claims they protect against a viral attack in which at least one authority claims Bitdefender did not detect the virus' presence in a single file sample.

        Admittedly: it's an "N" of 1, and I'm no expert.

        Nevertheless, I would hope that an expert, like yourself, who claims the solution he represents protects users against the virus, would respond with further information or assurances that would mitigate Bitdefender customer concerns. I really would appreciate your own assessment of Bitdefender's ability to protect customer devices against this latest ransomware attack.

    • https://s8.hostingkartinok.com/uploads/images/2017/06/00f16f5751a53837813cd3fb8d316855.jpg

      BitDefender already have a signature, I just checked.

      • Thank you!
        https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

  • It's amazing how none of the current alarming news reports actually describe – specifically – how the malware gets onto a machine! It would be very helpful to elaborate on this. Is it by clicking a URL in some email? is it by visiting some websites? is it by installing something? I mean, really all this fuss and alarm and not a word that carefully explains this, most unhelpful.

    • GoldenEye is combination of Petya and MISCHA ransomware-type viruses. As with Petya and MISCHA, GoldenEye is distributed using a spam email message. The email delivers a fake job offer with text in German and two files attached. One is a fake CV, the other, a malicious MS Excel file. If the Excel file is opened, a pop-up requesting the user to "enable macros" appears. If these macro commands are enabled, the Excel file will generate an executable file and launch the ransomware.

    • From our latest update: "Our internal telemetry shows that some infections with #GoldenEye have been triggered by the compromised update of the MeDOC accounting software. A number of our customers in Ukraine where our solutions intercepted the attack clearly show explorer.exe starting up ezvit.exe (the accounting app binary) which in turn execute rundll32.exe with the ransomware’s DLL as parameter.

      Bottom line, we can confirm the MeDOC update as an infection vector. This makes Ukraine “patient zero” from where the infection spread across VPN networks to headquarters or satellite offices."

    • We have found that we have had no infections using BitDefender and by providing patch management strategies that ensure that the MS-017 patch is installed. Basically the answer is Managed IT Services