How Scared Should You Be about GoldenEye & Petya Ransomware?
Here we go again. Last week, a new global cyberattack, initially referred to as Petya ransomware, hit organizations in 64 countries. Like WannaCry just a few weeks earlier, Petya quickly wreaked havoc across the globe, exploiting stolen NSA tools to cripple computers at high-profile targets, including energy suppliers, pharmaceutical manufacturers and shipping companies.
But this time, the attack was even nastier. And, if experts are right, it’s only the beginning of a new wave of dangerous cyberattacks yet to come.
Today, we take a closer look at Petya ransomware, where it came from and what it means for companies like yours.
What We Know about Petya Ransomware
At the start of last week’s attacks, researchers first referred to the infection as Petya ransomware, because it bore similarities with a strain that appeared in March 2016. But when experts at the Russian cybersecurity firm Kapersky Lab took a closer look, they determined this was something different.
For starters, the encryption was stronger. And unlike WannaCry, there was no glaring kill switch. To top things off, this new ransomware could infect computers in multiple ways—certainly more ways than the original Petya (which spread only via infected email attachments) and also in more ways than the worm-like spread of WannaCry.
This led researchers to give the infection a new name: GoldenEye ransomware, or simply NotPetya, as coined by Kapersky.
Quick Facts on NotPetya / GoldenEye
Here’s everything we know so far about how this nasty attack went down:
- Ukraine was hit first. Microsoft said the attack originated at M.E.Doc., a Ukrainian accounting software firm.
- 12,500 machines were infected in Ukraine alone.
- “Oops, your important files have been encrypted,” read one of the notifications that users saw on their screens. “If you see this text then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking to recover your files but don’t waste your time.”
- $300 in Bitcoin was the requested ransom to restore the files. Since Bitcoin addresses are public, it’s clear that 45 transactions were made, so some users likely tried paying the ransom. But…
- Files cannot be restored, even if users pay the ransom. That’s because the email address used by the attackers was shut down.
A week after the attack, NotPetya ransomware is still not done. It has spread across 64 countries, including the United States. Here’s just some of the destruction it has caused so far.
- Organizations in 5 countries were hit the hardest: Ukraine, Russia, Poland, Italy and Germany.
- ATMs stopped working in Kiev, Ukraine.
- Ukraine’s central bank and a number of the country’s commercial banks were infected.
- Computers failed at the old Chernobyl nuclear plant, forcing workers to monitor radiation manually.
- Danish shipping company Maersk felt the impact on all its business units, including “container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers.”
- FedEx’s subsidiary TNT Express was hit, causing FedEx stock trading to be halted temporarily.
- Russia’s largest crude oil producer Rosneft said its servers were hit, forcing it to switch to a backup system.
- S. pharmaceutical giant Merck was hit at all of its offices, forcing the company to send its employees home.
GoldenEye vs. WannaCry: What’s the Difference?
Let’s face it. Both forms of ransomware will make you wanna’ cry. But there are striking differences between GoldenEye (aka NotPetya) and WannaCry.
As the New York Times put it, GoldenEye is WannaCry’s “meaner, more clever sibling.” GoldenEye didn’t hit nearly as many systems: only 2,000 targets within the first day, compared to WannaCry’s staggering infection totals, which were in the hundreds of thousands. But GoldenEye was more targeted, going after not just the most vulnerable, but also the highest-profile.
WannaCry used the stolen NSA exploit known as EternalBlue to infect unpatched Windows systems at the kernel level and spread across the network. GoldenEye did that too, but that’s not the only trick it has up its sleeve.
Whereas WannaCry leveraged EternalBlue almost exclusively, GoldenEye relied on additional methods, such as hidden infections in M.E.Doc, the Ukrainian accounting software, as well as possible malicious macros in Microsoft Word documents. But it doesn’t stop there. GoldenEye appears to be using additional NSA exploits, including EternalRomance and EsteemAudit—both of which enable various forms of remote access.
As Wired reports, “Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.”
Once the malware compromises enough administrative privileges, it basically instructs all other PCs on the network to run the malware as well. Game over.
It’s (Probably) Not About the Money
This new variant of Petya ransomware harkens back to the old days of cyberattacks, when destruction was intended purely for destruction, instead of simply making money.
Despite NotPetya’s sophistication, it missed out on the opportunity to extort a lot more money of its targets. This leads researchers to believe that the goal was not collecting ransom.
The “problem” with NotPetya was the way in which it asked for ransom payments. It relied on manual payment validation, requiring victims to email proof of their Bitcoin payments to a single email address. This method makes it harder for hackers to collect the money and also makes victims question whether they will really get their decryption keys. More successful ransomware attacks set up multiple avenues to collect the ransom payments from users.
Also, payment confirmation became virtually impossible after the email provider, Posteo, shut down the email account. The attackers may have anticipated this would happen and didn’t care.
What the Heck is Going on Here?
Two of the biggest cyberattacks in history within just a few weeks. Coincidence? Probably not.
In the case of GoldenEye, researchers point out that the attack, which hit Ukraine hardest, occurred just before Ukraine’s Constitution Day, which commemorates the nation’s independence from the Soviet Union. So a possible explanation is that this is a state-sponsored attack (or made to look like one), just another chapter in an ongoing cyberwar.
Regardless, hopefully it’s clear by now to companies across the globe that they really need to up their business continuity game. Experts believe that these types of attacks could easily become everyday dangers, no matter who is behind them. It’s also shocking that larger companies have been slow to protect themselves. Both WannaCry and NotPetya have exploited Windows vulnerabilities that have been known for months. Patches were made available long ago.
Worse yet, lesser-known but equally scary attacks are already happening. Just days before the NotPetya attack, the New York Times reported an attack on telecommunications company IDT, in which ransomware was used as a “smoke screen for a far more invasive attack that stole employee credentials.”
For most companies, the intentions behind these attacks shouldn’t necessarily matter. Ransomware is crippling, and it’s not going away anytime soon. Every organization should be taking proactive steps to protect themselves.
How to Prevent NotPetya and Other Ransomware
As Wired points out, “The diversity of [NotPetya’s] delivery options means that no single patch can necessarily provide complete protection against it.” Patches are critical, of course, but you need a 360-approach to preventing ransomware, supported by a solid data backup system in case an infection happens.
Here’s a checklist of the critical actions you need to take:
- Curb the infections.
- If you’ve been infected with Petya, you may be able to stop it from spreading across your network by blocking the file perfc.dat (located in C:\Windows) from the Windows Management Instrumentation.
- Wired also notes that you can use “Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.”
- Shut down all infected machines and/or remove them from the network.
- Patch, patch, patch.
As NotPetya has proved, patching alone may not protect your systems, but it’s absolutely an essential first step. If your Windows machines automatically install updates, you’re good. Otherwise, head over to Microsoft for security update MS17-010, which protects against the EternalBlue exploit.
- Deploy anti-ransomware software.
Many anti-malware solutions are unable to detect ransomware. It may be a good idea to look into dedicated anti-ransomware solutions, such as Cybereason, which protects against NotPetya attacks.
- Train employees on what to look for.
While NotPetya exploited hidden OS vulnerabilities, most ransomware still relies on old-fashioned phishing attacks, malicious attachments and bad links. Use periodic training sessions to teach staff how to detect bad emails and practice safe Internet usage.
- Back up your data!
The key to business continuity—no matter what kind of threat—is frequent, dependable backups. With ransomware, you may never get your data back, even if you pay the ransom. Restoring a recent backup is typically the single easiest and fastest way to get your data back and remove the threat. Plus, with backup solutions like Datto’s, the built-in ransomware protection will detect an infection and notify the administrator, thus minimizing the damage and reducing potential data loss.
This conversation isn’t over.
As I said after WannaCry, we haven’t seen the last of global ransomware attacks like this. And now that attacks like NotPetya appear more focused on destruction than money, we will likely see even more crippling outbreaks in the months ahead.
Check our blog for developments on the latest ransomware attacks, as well as business continuity tips that can protect your organization.