GoldenEye ransomware follows in WannaCry’s footsteps3 min read . Updated: 28 Jun 2017, 03:26 AM IST
The GoldenEye ransomware, which on Tuesday struck nations across Europe, takes advantage of the same weakness as WannaCry did
Just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, ransomware has reared its ugly head again.
While the extent of the cyberattack is still yet to be ascertained, the virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs has had its biggest impact on companies in Ukraine. And while the target primarily appears to be European countries, the ransomware is also reported to be making inroads in countries like India.
According to Bitdefender Labs, Chernobyl’s radiation monitoring system, law firm DLA Piper, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil firm Rosneft have been the targets so far. “GoldenEye /Petya operators have already received 13 payments in almost two hours. That is $3.5K USD ($3,500) worth in digital currency," Bitdefender Labs researcher Bogdan Botezatu, said in a note on Wednesday.
Also read | Can machine learning prevent another WannaCry?
As its name suggests, ransomware is a type of malware that prevents or limits users from accessing their systems, either by locking the screen or by locking the users’ files unless a ransom is paid. Trend Micro points out that cases of ransomware infection were first seen in Russia between 2005 and 2006. The infections were initially limited to Russia, but spread across Europe and North America in early 2012.
Also going by names such as WannaCrypt, WCrypt, WCRY, WannaDecrypt0r or WanaCrypt0r 2.0, the ransomware WannaCry was designed to prevent access to a system until a sum of money is paid, usually in bitcoins. The malware was programmed to spread via SMB (Server Message Block)—a protocol specific to Windows machines to communicate with file systems over a network. WannaCry took advantage of the machines that support this protocol but have not received the critical MS-17-010 security patch from Microsoft that was issued on 14 March.
Bitdefender Labs confirmed that the GoldenEye/Petya ransomware takes advantage of the same EternalBlue exploit to spread from one computer to another. But it is also different in many ways.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption—one that individually encrypts target files on the computer and another one that encrypts NTFS (New Technology File System—a proprietary file system of Microsoft) structures, according to Botezatu. This approach prevents victims computers from being booted up in a live operating system (OS) environment and retrieving stored information or samples, he adds.
Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer, Botezatu cautions. Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
There are various channels through which a ransomware could land on the system, noted Sharda Tickoo, Technical Head at Trend Micro, India, in a 15 May note when the WannaCry malware broke out. In the year 2016, a typical ransom ranging from $200-$10,000 was paid by organizations to the cyber attackers, he pointed out. There was a 72% increase in ransomware attacks in 2015-2016, according to Trend Micro. This number is only set to increase.
Ransomware, according to Trend Micro, targets the following files: database files (96%); website files (75%); SQL files (81%); tax files (22%); CAD files (70%); and virtual desktop files (19%). Ransomware operators target the company’s data as well as the customer’s data which is critical to the business functioning. Apart from brand and reputation damage it can cause business destruction by halting productivity and service delivery; loss of data on customers and core competencies that is critical to your competitiveness and legal and regulatory implications, noted Tickoo.
Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
The problem will only get compounded when billions of devices get connected in the next few years—the phenomenon known as the Internet of Things, or IoT.