Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye/Petya ransomware family.
Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.
Bitdefender Labs confirms that the GoldenEye / Petya ransomware leverages the EternalBlue exploit to spread from one computer to another. Additional exploits are also used to propagate. Details coming soon.
Unlike most ransonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples. Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
Bitdefender blocks the currently known samples of the new GoldenEye variant.
GravityZone provides a layered next-gen architecture that delivers prevention, detection, remediation and visibility in a single modular platform.
Bitdefender Machine Learning models, available in all editions of Bitdefender GravityZone, are designed specifically to catch never before seen attacks at pre-execution stage.
In addition to machine learning, it also includes Process Inspector, which continuously monitors all running processes and hunts for suspicious activities or anomalous process behaviors commonly associated with ransomware.
Moreover, Bitdefender’s revolutionary Hypervisor Introspection technology, unique on the security market, is able to protect virtual servers from the entry mechanism of these attacks (the MS17-010 exploitation technique, otherwise known as EternalBlue).
Watch Hypervisor Introspection defeat EternalBlue