Another massive ransomware attack it hitting across the globe including UK, US and Russia. Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware. The attack makes use of the same vulnerability that allowed for the spread of the WannaCry ransomware in May. The Petya ransomware hijacks victims’ computers before encrypting their files and holding them hostage until a fee is paid.
According to Bitdefender Labs, Chernobyl’s radiation monitoring system, law firm DLA Piper, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil firm Rosneft have been the targets so far. “GoldenEye /Petya operators have already received 13 payments in almost two hours. That is $3.5K USD ($3,500) worth in digital currency,” Bitdefender Labs researcher Bogdan Botezatu, said in a note. The ransomware virus includes code known as “Eternal Blue”, which cyber security experts widely believe was stolen from the U.S. National Security Agency (NSA) and was also used WannaCry.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples. Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.