BACK

GoldenEye – Ransomware Evolved

Goldeneye is the latest Petya / Mischa implementation, released into the wild early December 2016. First cases were reported in Germany, where the ransomware was sent via a recruitment email with an attached Excel document.

  • 22 Dec 2016
  • digitalxraid
3 min read

Petya – The Origins

Goldeneye started life as Petya in April 2016. The Petya Ransomware was spread via email, and took the form of a Windows executable disguised as an Adobe PDF file. Upon clicking the executable, an Administrative UAC prompt will show, and accepting it allows the malware to run. Petya doesn’t encrypt documents on the computers local drive, instead it encrypts the drive’s Master File Table [MFT]

The MFT is responsible for all the information about a file, including its size, time and date stamps, permissions, and data content. With this encrypted, the system will have no knowledge of what files exist on the machine or where a file’s data is physically located on the hard disk. This ransomware causes the computer to be inoperable, although it requires administrative rights to do its task.

drawing1

The Dangerous Duo

In May 2016 Petya was modified to integrate code from a second piece of ransomware known as Mischa [Both names of satellites from the film ‘Goldeneye’]. The ‘Mischa’ portion of this malware only ran when the user didn’t permit the executable to have privileged rights. Mischa encrypts the local files on the system with particular file extensions. The encrypted files have a random 4 character file type appended to them in order to bypass anti-malware software, which would detect and block the creation of files with known ransomware file extensions.  If the user accepts the administrative rights to the ransomware, the original Petya payload would encrypt the MFT instead of running the Mischa payload.

Goldeneye Analysis

Goldeneye is the latest Petya / Mischa implementation, released into the wild early December 2016. First cases were reported in Germany, where the ransomware was sent via a recruitment email with an attached Excel document. The document roughly translates to “Please activate enable content to display the skills profile”

Once the Enable Content button has been clicked, a malicious obfuscated Visual Basic Script will be executed. This will then run the Mischa payload on the victims computer, encrypting local documents on the machine. Once this process has completed the ransomware will then try to Bypass a UAC prompt to elevate privileges from Administrator to System on its own. This is achieved via DLL injection, which works if the victim is using an administrator account with default UAC settings on any Windows 7 – 8.1 Operating system. If the user isn’t an administrator, the Petya payload won’t run. If the user is running Windows 10 as an administrator, a UAC prompt will be shown. If this prompt is accepted or the DLL injection is successful then the Petya payload encrypt the MFT.

This ransomware is particulate dangerous as, where possible, both payloads are executed in contrast with previous versions. When Petya runs it will cause the victims computer to crash giving a blue screen. Upon rebooting, the victim will see a fake CHKDSK process.

This is in fact Petya encrypting the MFT and writing its own bootloader and kernel to the hard drive. Once finished the computer will boot into Goldeneye’s splash screen and ransom page.

The user is unable to access the Windows operating system until the ransom is paid via the TOR Browser. The TOR page requires a CAPTCHA to access, the user is then presented with a page in which the personal identifier from the splash screen must be entered.

The proceeding page states the cost of the ransom. It is currently 1.39 bitcoins valued at ~£890. It then helpfully states how and where bitcoins can be acquired. Note this cost is simply to decrypt the MFT and gain access to the Windows OS this process must be repeated to recover the Mischa encrypted local documents.

7

After the user acquires the Bitcoins, the attacker’s Bitcoin wallet address is revealed. This is the account in which the funds should be sent. After payment is cleared a decryption key will be provided to the victim.

Full process of the Goldeneye ransomware:

Mitigations

  • Ensure employees are aware of Ransomware and its dangers.
  • Use AppLocker to prevent employees from running arbitrary executables.
  • Train employees to question the validity of emails and to not open suspicious unexpected attachments.
  • Disable Macro scripts within Microsoft Office.
  • Manage the distribution of privileged accounts. Only use administrative accounts when absolutely necessary.
  • Have a robust and frequent data Backup strategy in place. Ensure backup data isn’t attached to the network. Always keep a backup offsite and offline.
  • Rename sensitive file extensions to something unique [.doc to .file] This will prevent ransomware from encrypting the document.
Blog Details
  • 22 Dec 2016
  • digitalxraid

Newest Articles.

View all
  • 15 Apr 19

    Cyber Security Compliance: Protecting your Business from Online Threats

    Read Article logo
  • 03 Apr 19

    What is Social Engineering?

    Read Article logo

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.
Close ×
price-popup-pattern
Close ×
price-popup-pattern
Close ×

Step 1 of 3

33%
  • Cyber Essentials Basic Pass Guarantee - £750

    Your Details

price-popup-pattern
Close ×

Step 1 of 3

33%
  • Cyber Essentials Basic Pay Monthly - £79 pcm

    Your Details

price-popup-pattern
Close ×

Step 1 of 2

50%
  • Cyber Essentials Plus - Get a Quote

    Your Details

price-popup-pattern
Close ×

Get In Touch

  • This field is for validation purposes and should be left unchanged.
price-popup-pattern
Close ×

Get A Quote

  • This field is for validation purposes and should be left unchanged.
price-popup-pattern
Close ×
price-popup-pattern

Buy Cyber Essentials

price-popup-pattern