GoldenEye: What we know so far about WannaCry’s deadly sibling

28 Jun 2017

Image: Villedieu Christophe/Shutterstock

Major international ransomware attack has so far hit 2,000 high-profile targets with precision.

We told you WannaCry wasn’t dead and that something nasty was coming. But whether or not that something is nastier remains to be seen.

All across the world yesterday (27 June), a dangerous new ransomware cyberattack – known as Petya or GoldenEye – began to spread, appearing to strike first in Ukraine and then Russia before reaching the rest of Europe and beyond. Russia’s top oil producer, Rosneft, and several banks in the country were hit. Ukraine’s central bank and metro system also fell victim, as did Kiev’s Boryspil Airport and electricity supplier Ukrenergo.

‘This is a great example of two malware components coming together to generate more pernicious and resilient malware’
– PHIL RICHARDS

The virus then spread to Denmark, Norway and the Netherlands, via shipping giant Maersk’s Russian subsidiaries. It hit ad agency WPP in London, French construction company Saint Gobain and Spanish food giant Mondelez, as well as the Asia Pacific region, including India’s largest shipping container port.

The attack has even forced the Chernobyl nuclear plant to check radiation levels manually after Windows-based systems were shut down.

In Ireland, there have been reports that the virus has been detected in local operations of international pharma companies, and some users have claimed to have had $300 in bitcoin demanded in return for access to their systems.

The latest malware been given a raft of different names, with some sticking to the original Petya and others referring to the latest variant as GoldenEye, NotPetya or ExPetr.

So, what is GoldenEye?

First off, WannaCry lives

Last month, WannaCry paralysed more than 300,000 systems across the planet with ransomware, knocking critical functions of organisations such as the NHS offline. Attacking older Windows systems, its spread was calmed by a patch update from Microsoft. WannaCry is still in the wild, however. Last week, it caused Japanese car manufacturer Honda to halt production, and infected 55 Australian traffic light cameras.

GoldenEye is definitely a sibling of sorts to WannaCry

Kaspersky Labs researcher Costin Raiu yesterday identified the malware as Petrwrap, a strain of the Petya ransomware investigated by the firm earlier in June. However, Kaspsersky later clarified GoldenEye to be an entirely new strain of ransomware, which it dubbed NotPetya.

According to reports, the new ransomware employs the same EternalBlue exploit used by WannaCry to spread quickly between systems. EternalBlue, which was published by Shadow Brokers in April, targets Windows SMB file-sharing systems and is believed to be a cyber weapon stolen from the NSA’s arsenal. In other words, the virus is wreaking havoc on systems – including US corporates – that were created using US taxpayers’ money.

But, while WannaCry appeared crude, GoldenEye is more subtle and targeted. The attacks are precise in nature, with 2,000 infections hitting major companies – such as pharma giant Merck – rather than the hundreds of thousands in the scattergun attack by WannaCry.

“This ransomware is slightly different, applying a multi-level approach, where it encrypts the master boot record of the machine when run as admin and, when run as a normal user, it encrypts specific files on the system,” explained PwC Ireland cyber leader Pat Moran.

“It also uses several different methods to ensure that it affects as many machines as possible.”

No kill switch has been found

Unlike WannaCry, where a kill switch of sorts was discovered by security researchers within 24 hours by adjusting the ransomware’s code, no such kill switch has yet been found for GoldenEye (at the time of writing). GoldenEye apparently uses two layers of encryption, frustrating researchers in their efforts to stop it in its tracks.

It wants money

Yes, there are hackers behind this attack and they want users to pay a ransom in return for access to their systems and data. According to Reuters, at least 30 victims have paid into the bitcoin account associated with the attack. The US Department of Homeland Security has urged users not to pay any ransom because doing so would be no guarantee that access would be restored.

The hackers haven’t made it easy for themselves to get the money. The payment mechanism apparently relies on manual payment validation so that when victims pay the ransom, they must send proof of payment to an email address in return for a decryption key.

However, the hackers’ email provider, Posteo, has pulled the plug on the account, making payment confirmation impossible.

There are various theories on who is behind the attack

No one knows for sure who is behind the malware, whether it is a hacker collective acting independently or governments supporting the attackers. Allegations that the Shadow Brokers group is backed by the Russian government and that North Korea was behind WannaCry have been denied by both countries.

“This malware appears to have been targeted at Ukrainian infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports and aircraft manufacturers. Since the initial infection, it has spread to other markets and beyond the Ukraine borders,” said Phil Richards, CISO at Ivanti.

“The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the master boot record. The EternalBlue component enables it to proliferate through an organisation that doesn’t have the correct patches or antivirus/anti-malware software.

“This is a great example of two malware components coming together to generate more pernicious and resilient malware.”

Simon Taylor, vice-president of products at Glasswall, added: “Cybersecurity experts believe the current attack may be based on last month’s WannaCry attack.

“Whatever name they give it, they cannot protect some of the world’s largest businesses and organisations. Most attacks now begin with malicious code hidden in an email attachment, which is installed when employees are tricked into clicking on it via social engineering. Secreting code in the structure of common file types – such as Word documents, Excel spreadsheets, PowerPoint files and PDFs – is the most common method criminals now use.

“Because antivirus defences are no longer any use against these attacks, organisations must start to rely on more innovative email security techniques. Until then, these types of attacks will continue to be commonplace.”

In conclusion, we can expect these kinds of ransomware attacks, mutants of WannaCry, to continue, as hackers either get creative and cause turmoil for fun, or something more sinister is at play.

Welcome to the deadly new age of ransomware.

Updated, 11.45am, 28 June 2017: This article was updated to clarify the name(s) of the malware.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com