Back to Insights
GoldenEye Ransomware Wreaks Havoc on Global Networks
June 27, 2017 | Malware and Advanced Threats
By Daniel Maloof, IANS Managing Editor
The ransomware hits keep on coming, and just like the WannaCry outbreak, this looks like a big one. For the second time in as many months, corporations around the world are experiencing a massive cyber-attack that’s crippling enterprise networks and demanding a Bitcoin ransom to decrypt files.
The latest strain of ransomware, being dubbed GoldenEye, was initially deemed a variant of the Petya malware family, though researchers at Kaspersky have left the door open that it could be an entirely new type of malware. Kaspersky added that it had seen evidence that the latest malware strain was created on June 18, leading to speculation that attacks have been ongoing for more than a week.
Similar to WannaCry, researchers at Symantec have confirmed that the GoldenEye ransomware has been infecting computers using the EternalBlue exploit, which was leaked by the Shadow Brokers hacking group earlier this year and is believed to have been originally developed by the NSA. WannaCry infected computers in more than 150 countries and, thus far, more than 2,000 computer systems had already been infected by GoldenEye.
According to Martin Bos, VP of technical services at TrustedSec, the ransomware’s authors “not only created their own boot loader, but also a tiny kernel, which is 32 sectors long. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads the tiny malicious kernel and then proceeds with further encryption.”
Early reports indicated the greatest damage has been inflicted upon corporations, banks and utilities in Ukraine, but the impact of GoldenEye has been felt in Denmark, Great Britain, Russia, Spain, France and the United States as well. Some of the largest corporations that have reported being hit thus far include Danish shipping giant AP Moller-Maersk, Russian oil producer Rosneft, American pharmaceutical firm Merck and British advertising firm WPP, the largest advertising agency in the world. Ukraine’s central bank, as well as the Kiev Boryspil Airport, were also reported to have been hit.
Cisco’s Talos research team said at least some of the infections seemed to have originated with an update to a Ukrainian tax accounting software application called MeDoc. “Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with [MeDoc],” wrote Talos’s threat researcher Alexander Chiu in a blog post. “Talos continues to research the initial vector of this malware.”
Song Remains the Same: Patch Systems, Disable SMB1
For companies that have been infected with the latest ransomware strain, options are limited, but IANS Faculty Andrew Hay, chief technology officer at LEO Cyber Security, noted that there are steps organizations can take to at least limit their exposure and defend against similar attacks in the future.
“The first obvious thing to do is to ensure that SMB protocols are blocked at your perimeter (either via a firewall or access control list) for both inbound and outbound transmission,” Hay said. “There are several secure file transfer protocols and services that can be used in place of allowing SMB access to/from the public internet.
“Secondly, organizations need to accelerate the patching of MS17-010 on all network-connected Windows systems (including virtual machines and IaaS cloud guests) using the guidance provided by Microsoft. If you are unable to patch immediately, you may be able to protect yourself by disabling version 1 of the SMB protocol.”
In the bigger picture, Hay emphasized that the latest ransomware attacks further signal the importance of having a sound patch management system in place, particularly considering the same vulnerabilities exploited in the WannaCry attacks were being used again.
“This is the second attack of this type in recent months, so organizations must review their patch management program to ensure that emergency patches to mitigate critical vulnerabilities and easily weaponized attacks can be applied in an expedited fashion,” said Hay. “Organizations may also want to consider stockpiling crypto currency like Bitcoin to reduce any possible transaction downtime should they find themselves forced to pay the ransom.”
Phishing Stories From the Wild
Avoid the Pitfalls of Using FAIR for Risk Management
Top 10 Ways Penetration Testers Break Into Organizations
Take an Effort-Based Approach to Vulnerability Management