On June 27, a new strain of the Goldeneye/Petya ransomware armed to the teeth with exploits swept the globe in a manner reminiscent of May”s WannaCry pandemic, hitting government agencies, banks, power companies, drug makers, shipping giants, and the list could go on.
A preliminary investigation by Bitdefender showed the malware sample responsible for the infection was an almost identical clone of the GoldenEye ransomware family. The media settled on calling it Petya, as it also shares multiple similarities with that ransomware strain.
When it was discovered, no information was available about the propagation vector. However, as with the WannaCry ransomware attack in May, Goldeneye/Petya seemed to be carried by a wormable component.
Today, we have enough information to make a more complete profile of the malware, including some juicy technicalities that will no doubt pique the interest of the geek demographic.
Reports from Ukraine, the country hit hardest by the contagion, indicate that the first wave of attacks occurred there, on June 27, around 2 PM local time.
While the ransomware initially took hold in Ukraine and Russia, it soon spread to several European countries, including Poland, Germany, Italy, Spain, and France. Subsequent reports revealed breaches at companies in India and the United States. Around the same time, British ad company WPP tweeted that its systems had fallen victim to a cyberattack.
The list of companies hit by GoldenEye/Petya is more or less complete, depending on the willingness of victims to admit to the breach. However, we know its victims include:
It”s not yet known who the attackers are. The possibilities are so vast, speculation is futile at this point. However, we do know, based on their publicly available Bitcoin wallet, that they”ve amassed $10,000 in cryptocurrency as a result of the attack.
GoldenEye/Petya is classified as ransomware, as it is designed to encrypt data on infected systems and demand ransom money in exchange for unscrambling the data.
Our analysis indicates that GoldenEye/Petya uses the same EternalBlue exploit employed by WannaCry to replicate laterally, in what IT folk refer to as the “worm” component of the malware. This component allows the malware to replicate itself on vulnerable systems across a network. Unlike last month”s infection, though, Petya has more aces up its sleeve.
An additional exploit dubbed EternalRomance was used to further ensure the malware”s “wormable” nature. Finally, a credential dumping tool (sharing code similarities with an older hack tool called Mimikatz) embedded in the software allowed GoldenEye/Petya to infect even non-vulnerable (patched) systems by simply gaining administrator rights on the machines. A recent Microsoft blog post analyzes this in detail.
Another important aspect of GoldenEye/Petya is its encryption mechanism â€“ two of them, to be precise. The malware encrypts not only individual files, but also the computer”s entire file system by compromising the Master Boot Record (MBR) â€“ a file responsible for finding the operating system and booting the computer â€“ and subsequently the Master File Table (MFT) of the NTFS file system.
Our internal telemetry shows that some infections with GoldenEye/Petya were triggered by a compromised update of the MeDOC accounting software. Bitdefender customers in Ukraine, where our solutions intercepted the attack, show explorer.exe starting up ezvit.exe (the accounting app binary) which then executes rundll32.exe with the ransomware”s DLL as parameter.
The MeDOC update therefore is a key infection vector, making Ukraine “patient zero” â€“ where the infection spread across VPN networks to headquarters or satellite offices. In addition to the MeDOC update, some other infection vectors are under investigation.
GoldenEye/Petya is a piece of ransomware â€“ malware designed to infect systems, encrypt files on them and demand a ransom in exchange for the decryption keys.
However, as the situation was being contained yesterday evening, evidence began to mount that Petya was basically a data destroyer â€“ either meant as a test, or simply to harm victims.
Here are the clues:
The first rule of thumb is to keep your systems up to date. Remember that GoldenEye/Petya leverages vulnerabilities patched by Microsoft with several express updates starting in March. You have no excuse to remain unpatched following the WannaCry and GoldenEye/Petya attacks.
Run a trusted AV solution. Bitdefender blocks the currently known samples of the new GoldenEye/Petya ransomware. Computers running a Bitdefender security solution for consumer or business are safe against GoldenEye/Petya and WannaCry.
Considering Petya”s “plan B” to use lateral movement through credential theft and impersonation when faced with a patched system, companies might want to consider restricting administrator rights on employee endpoints. The same advice applies to regular users as well.
Bitdefender strongly advises all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.