CyberScout

Petya, GoldenEye Ransomware Picks Up Where WannaCry Left Off

Petya, GoldenEye Ransomware Picks Up Where WannaCry Left Off

What happened?

A new ransomware attack created computer chaos worldwide—though primarily in Europe—on June 27. The outbreak, dubbed both GoldenEye and Petya by researchers, is being compared to WannaCry. While antivirus firms and IT departments struggle to get the outbreak under control, there’s still some debate about how it works and how it spreads. But in some ways, the virus is even more powerful, and more nasty, than WannaCry.

The list of victims is impressive and alarming. According to security firm Bitdefender, they include: “Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.”

The real risk for you

As with WannaCry, the risk is losing access to all your personal and company files. The risk is even greater with Petya, since in addition to encrypting files, Petya also encrypts the infected computer’s master boot record, making recovery even more difficult.

While Petya utilizes the same Eternal Blue vulnerability as WannaCry—the one initially discovered by the NSA, and leaked by hackers before it was weaponized—Petya has other ways to infect, also. Security researchers believe some initial infections are the result of social engineering and phishing attacks. They also believe that once Petya infects a single computer on a network, it can spread itself laterally through a network via Windows utilities (specifically, Windows Management Instrumentation or WMI). That means even machines patched against Eternal Blue aren’t immune from this attack. It’s also believed that Petya has additional features which allow it to steal login credentials.

Steps you should take now & later

Now more than ever, make sure every system you connect to a network is fully patched and protected. It’s absolutely essential, also, that you back up data you care about—from company files to baby pictures. Petya confirms every researcher’s worst fear: ransomware writers are learning from each other, and with each successive attack, they are getting “better” at what they do. If you have escaped WannaCry and Petya, consider yourself lucky. There is a high likelihood that a future ransomware attack will target you. There’s only one way to be ready: Back up.

Here’s a to-do list from CyberScout:

  • Create cloud backups of all mission-critical data sets
  • Establish a program of education and awareness for all users to help them recognize phishing attacks
  • Perform vulnerability assessment and install security patches promptly
  • Consider “next generation” anti-malware applications, especially those that go beyond the standard signature-checking of traditional anti-virus
  • Develop a full-featured breach response plan that includes ransomware responses

Eric Hodge is director of consulting at CyberScout. Bob Sullivan, a contributor to ThirdCertainty.com, contributed to this article.