GoldenEye – Ransomware Evolved
Petya – The Origins
Goldeneye started life as Petya in April 2016. The Petya Ransomware was spread via email, and took the form of a Windows executable disguised as an Adobe PDF file. Upon clicking the executable, an Administrative UAC prompt will show, and accepting it allows the malware to run. Petya doesn’t encrypt documents on the computers local drive, instead it encrypts the drive’s Master File Table [MFT]
The MFT is responsible for all the information about a file, including its size, time and date stamps, permissions, and data content. With this encrypted, the system will have no knowledge of what files exist on the machine or where a file’s data is physically located on the hard disk. This ransomware causes the computer to be inoperable, although it requires administrative rights to do its task.
The Dangerous Duo
In May 2016 Petya was modified to integrate code from a second piece of ransomware known as Mischa [Both names of satellites from the film ‘Goldeneye’]. The ‘Mischa’ portion of this malware only ran when the user didn’t permit the executable to have privileged rights. Mischa encrypts the local files on the system with particular file extensions. The encrypted files have a random 4 character file type appended to them in order to bypass anti-malware software, which would detect and block the creation of files with known ransomware file extensions. If the user accepts the administrative rights to the ransomware, the original Petya payload would encrypt the MFT instead of running the Mischa payload.
Goldeneye is the latest Petya / Mischa implementation, released into the wild early December 2016. First cases were reported in Germany, where the ransomware was sent via a recruitment email with an attached Excel document. The document roughly translates to “Please activate enable content to display the skills profile”
Once the Enable Content button has been clicked, a malicious obfuscated Visual Basic Script will be executed. This will then run the Mischa payload on the victims computer, encrypting local documents on the machine. Once this process has completed the ransomware will then try to Bypass a UAC prompt to elevate privileges from Administrator to System on its own. This is achieved via DLL injection, which works if the victim is using an administrator account with default UAC settings on any Windows 7 – 8.1 Operating system. If the user isn’t an administrator, the Petya payload won’t run. If the user is running Windows 10 as an administrator, a UAC prompt will be shown. If this prompt is accepted or the DLL injection is successful then the Petya payload encrypt the MFT.
This ransomware is particulate dangerous as, where possible, both payloads are executed in contrast with previous versions. When Petya runs it will cause the victims computer to crash giving a blue screen. Upon rebooting, the victim will see a fake CHKDSK process.
This is in fact Petya encrypting the MFT and writing its own bootloader and kernel to the hard drive. Once finished the computer will boot into Goldeneye’s splash screen and ransom page.
The user is unable to access the Windows operating system until the ransom is paid via the TOR Browser. The TOR page requires a CAPTCHA to access, the user is then presented with a page in which the personal identifier from the splash screen must be entered.
The proceeding page states the cost of the ransom. It is currently 1.39 bitcoins valued at ~£890. It then helpfully states how and where bitcoins can be acquired. Note this cost is simply to decrypt the MFT and gain access to the Windows OS this process must be repeated to recover the Mischa encrypted local documents.
After the user acquires the Bitcoins, the attacker’s Bitcoin wallet address is revealed. This is the account in which the funds should be sent. After payment is cleared a decryption key will be provided to the victim.
- Ensure employees are aware of Ransomware and its dangers.
- Use AppLocker to prevent employees from running arbitrary executables.
- Train employees to question the validity of emails and to not open suspicious unexpected attachments.
- Disable Macro scripts within Microsoft Office.
- Manage the distribution of privileged accounts. Only use administrative accounts when absolutely necessary.
- Have a robust and frequent data Backup strategy in place. Ensure backup data isn’t attached to the network. Always keep a backup offsite and offline.
- Rename sensitive file extensions to something unique [.doc to .file] This will prevent ransomware from encrypting the document.