The GoldenEye ransomware had a brief life, operating only in December 2016. As a result, this ransomware virus is not very well known. However, it is a version of a very well-known ransomware group called Petya
The original Petya surfaced in March 2016. It went through four versions in quick succession, and GoldenEye was the last of those. The Petya ransomware system originated in Russia, and the GoldenEye version specifically targeted German businesses.
What is distinctive about GoldenEye?
The GoldenEye ransomware is a combination of two attack strategies. First, two viruses get downloaded together. These are called Mischa and Petya. Second, like all ransomware, these viruses encrypt data and then demand a payment to get the decryption key.
Petya was groundbreaking at the time because it doesn’t encrypt files; it encrypts the file system. This strategy makes encryption impossible to circumvent.
Their owners do not launch Petya and GoldenEye attacks. Instead, these systems are made available to others in a Ransomware-as-a-Service format. So, the many targeted attacks were commanded by many different people.
Petya was first released for a limited customer base in a Beta version. This was called Red Petya because its logo and ransom note showed on a red background. Unfortunately, Petya wasn’t so successful because it required Administrator privileges to get down to the operating system and perform its encryption.
When the system went into general release, the developers improved the design and changed its color theme, making it Green Petya. Unfortunately,this version introduced Mischa, which works like a traditional ransomware attacker by encrypting files. The Petya system now tried its low-level attack, and if it couldn’t get the Administrator level, it launched Mischa.
An intermediate release, version 2.5, fix bugs in the ransomware. This was still running as Green Petya. As the fourth version of Petya, release 3.0, GoldenEye was the perfected system. GoldenEye launches both Mischa and Petya, with Mischa running first. So, this is a double encryption system. Marking the change from Green Petya, the livery of GoldenEye is yellow and black.
Where does GoldenEye ransomware come from?
The creators of GoldenEye are called Janus Cybercrime Solutions. This is not one of the big state-sponsored hacker groups. However, clues in its imagery, branding and naming conventions point to the group being based in Russia.
Janus Cybercrime Solutions ran a Twitter account under the name Janus Secretary. The account was active during 2016 And 2017, but there have been no recent posts on the profile.
What does GoldenEye mean?
If you are a Bond fan, you have probably seen the movie GoldenEye. This is the inspiration for the name of GoldenEye ransomware. The hacker group itself takes its name from the movie as well.
In GoldenEye, a Russian crime organization called the Janus Syndicate takes advantage of the chaos during the collapse of the Soviet Union by hacking into the control system for two Soviet satellites. These Satellites are called Petya and Mischa. Then, they launch an electromagnetic pulse weapon called GoldenEye.
The Russian hacker group took the name of Janus and used the name of one of the satellites, Petya, for its ransomware. When they needed another name for their second virus, Mischa was available. However, there were only two satellites in the movie, so when the hackers were looking for a third name, they resorted to the film’s title.
The fact that the hackers identify so closely with this fictional crime syndicate indicates that they are Russian.
Successors to GoldenEye
The fame of the Petya series of ransomware is due to the actions of other hackers after Janus Cybercrime Solutions dropped their RaaS service at the end of 2016. Several other hacker groups scraped the code for the GoldenEye ransomware and integrated it into their ransomware. Petya had a good reputation because of its groundbreaking strategy. So, it had its imitators.
The notable copycats of GoldenEye ransomware and the original Petya are:
- PetrWrap – A derivative of Green Petya that uses its intrusion mechanism.
- Santana – A system with all the hallmarks of a test version and a copy of GoldenEye.
- Petya+ – This is an impersonator of Petya rather than a copy. It locks the screen and puts up a ransom demand, headed with the name Petya but doesn’t perform any encryption.
- NotPetya – This is the most destructive version of Petya that made the whole series famous. The Sandworm hacker group wrote it on a commission from the GRU – Russia’s military intelligence service. This ransomware is also known as EternalPetya and ExPetr.
Although none of the versions of Petya were used for benign purposes, NotPetya is the trustworthy source of accusations about the Petya system. That ransomware is not truly part of the Petya cycle, as the GoldenEye ransomware is.
The NotPetya system was identified as a weapon used by the Russian government in June 2017 to seriously weaken Ukraine and assist Donbas separatists in gaining the upper hand in their fight for independence.
While 80 percent of all NotPetya attacks occurred in Ukraine, businesses in other countries were also hit. Despite having similarities with GoldenEye, NotPetya is not, in fact, ransomware. It simply overwrites the Master Boot Record, and it has no mechanism to reverse that damage – it is a wiper.
How does GoldenEye ransomware work?
GoldenEye had a very short life. Its first attacks were launched on the 5th December 2016, and its campaign did not outlast the year. While all of the previous versions of Petya communicated in English, GoldenEye wrote to targets in perfect German. It was a bespoke edition of a system that was offered as a Ransomware-as-a-Service system. Strangely, the Janus group should choose just to target Germany. It is possible that GoldenEye was custom built for a major client of the Petya RaaS platform.
The invasion routine of a GoldenEye attack started with research. Each target was a business advertising a vacancy. The targeting email was sent in response to an advert, so GoldenEye was not used for bulk mail-outs. The emails always came from Rolf Drescher. This was a dig at a German cybersecurity consultancy Dipl.- Ing. Rolf B. Drescher VDI & Partner that offered Petya mitigation services.
The email sent to targets had two attachments – a resume in PDF format and an XLS file. The XLS file contains the installer for GoldenEye implemented as macros, which would trigger when the file was opened.
The macros opened up a connection to a remote server, downloaded the code for Mischa, and then executed it. The installed then copied down and ran the low-level Petya code. GoldenEye had perfected Petya and overcome the block on systems that removed the requirement for the user account to have Administrator rights to get down to the operating system.
On starting, GoldenEye crashed the PC and restarted it. The user was then shown a fake CHKDSK screen, which was written in English. This showed a progress bar, seemingly to show the advancement of the check. However, this fronted the encryption process.
GoldenEye exploited a loophole in the Windows operating system to overwrite the Master Boot Record (MBR), disable the Safe Mode startup option, and then encrypt the Master File Table (MFT). The GoldenEye system uses RSA and AES encryption ciphers for its Mischa phase and Salsa20 encryption for its Petya processes.
When the MFT encryption process completes, the PC shows the GoldenEye logo, a skull, and cross-bones composed of text characters. The ransomware then showed its ransom instructions.
To recover from this attack, the user was instructed to install the Tor browser, surf to a specific website, and enter a unique ID. This website then gave the victim instruction on how to pay the ransom in Bitcoin. Once the payment had been made, the user was given a decryption key for the MFT locker and a decryptor utility to reverse the Mischa encryption.
Unlike some ransomware systems, the decryption routine worked well, and those targets that paid the ransom were able to recover fully.
The best tools to protect against GoldenEye ransomware
The best protection against the GoldenEye ransomware is to educate users against opening attachments or following links in emails. You also need to regularly back up all devices on your system separately to avoid a virus infecting the backup files for your entire system on uploading from one endpoint.
There are some excellent tools available to protect against GoldenEye and all other ransomware attacks. Here are three.
1. CrowdStrike Falcon Insight (FREE TRIAL)
CrowdStrike Falcon Insight is an endpoint detection and response system that includes resident modules on each endpoint plus a cloud-based module. While the endpoint modules provide constant protection for each device, the cloud service keeps all efforts coordinated and provides the processing power for the whole system.
This tool is perfect for defense against GoldenEye ransomware and all other malware because CrowdStrike has a research team that spots new malware quickly and tracks its development.
The device agent is also available as a standalone next-generation antivirus service. This is called CrowdStrike Falcon Prevent. By monitoring all of the installations of Falcon Prevent, the Falcon Insight system can quickly track all activity on the entire system.
The Falcon Insight service shares attack intelligence between all clients of the system. This means that as soon as one client experiences an attack from new malware, all other clients’ instances get notified. It isn’t possible to plan malware templates, such as ransomware, because there will always be new variants. The critical work is to detect unusual activity and block that device to prevent the infection from spreading. This is the “response” part of the Insight system.
You can get a 15-day free trial of Falcon Prevent.
2. ManageEngine DataSecurity Plus
ManageEngine DataSecurity Plus focuses on monitoring file integrity. It is an excellent system to choose if you follow a data privacy security standard, such as PCI DSS, HIPAA, or GDPR. It is also a very suitable system for protection against GoldenEye ransomware and other malware that touches files.
This is on-premises software that focuses on defending Windows, the prime target of GoldenEye ransomware. The software for this service runs on Windows Server.
The DataSecurity Plus system tracks all file activity. You can choose how the system reacts when it detects unauthorized file changes. It will send out an alert to notify you of unusual activity. Still, you can also specify automated responses, such as cutting the device off from the network, shutting it down, or logging the user off.
ManageEngine DataSecurity Plus is available for a 30-day free trial.
3. BitDefender GravityZone
BitDefender GravityZone offers many points of protection against the GoldenEye ransomware and other types of malware. This is a complete security package the protects endpoints and networks and scans for viruses at every location.
GravityZone includes a backup management system as well as endpoint antivirus protection. This means that ransomware is spotted as soon as it downloads onto an endpoint, but if, in the future, new ransomware can bypass AV checks, it will be spotted before it is uploaded to backup servers. Gravity Zone also manages to restore actions and makes further virus checks during that phase.
The GravityZone system also includes file integrity management, configuration management, vulnerability scanning, and automated patching. These are all essential tools for guarding against ransomware. In addition, with this suite of services, users have immediate protection, system hardening, system restore functions, and file monitoring, which are all tools that you need to protect against GoldenEye ransomware.
GravityZone runs as a virtual appliance, and it is available for a one-month free trial.
L’article What is GoldenEye Ransomware & How to Protect Against It? est apparu en premier sur Comparitech.
0 Commentaires