GoldenEye: New Ways to Do the Same Old Thing

GoldenEye: New Ways to Do the Same Old Thing

Just like a spy movie villain...

Digital criminals are at it… again… and again! Just over a month ago, the WannaCry ransomware ran amok across vulnerable computers around the world. While it impacted roughly 200,000 users in 150 countries, it was seen in most of the cybersecurity world as a big, scary… failure. It was shut down as quickly as it started, made relatively insignificant revenue, and ultimately seemed more like an unfinished project released ahead of schedule. Although, as failures go, those who were impacted didn’t think it was so “unfinished”. Their business operations were still either slowed, stopped, or devastatingly impacted by permanent data loss.

Well, what happens when the cyber-criminals learn from their mistakes? What happens if instead of “random” attacks, the infections are targeted? What if they are simply testing and perfecting?

Introducing “GoldenEye”.

What is it, and what is it doing?

According to our partners at Bitdefender, this GoldenEye is a particularly nasty variant that started wreaking havoc on Tuesday, and it shows that the hackers have been paying attention. It contains 2 layers of encryption… one for the targeted files, and another for the file structure itself. Once it has completed its encryption process, the malware forces a system crash and reboot, and just like that… you are now a hostage of GoldenEye. According to the ransom note left on your screen after the reboot, the price of decrypting your PC is $300 worth of bitcoin.

GoldenEye ransomware

As of the latest update, GoldenEye has recorded roughly 2,000 infections, received 15 payments totaling $9,000, and has victimized several large organizations and systems. Among those infected are the DLA Piper law firm, Merck, a handful of banks, Maersk, Russian oil company Rosnoft, an airport, Kiev metro, an electric company in the Ukraine, a hospital in Pennsylvania, and the Chernobyl radiation monitoring system.

As more information is gathered, it appears that the bitcoin ransom is more a formality, and the intent of the ransomware is simply to destroy data. The use of complicated payment procedures and the fact that the email address associated with the attack is disabled means that even if you pay, there is no way for you to receive a decryption key. When paying these ransoms, all you are doing is funding the next revision.

This revision uses the same EternalBlue exploit as the WannaCry worm. It is worth noting again that this exploit was patched back in March by Microsoft. We are now dealing with a second world-wide infection that could have been prevented by simple maintenance patches. WannaCry was not an issue for anyone with the patch. This time around, if a computer on your network is not patched, GoldenEye can infect your entire network through that single, vulnerable machine even if every other PC is up-to-date.

What can you do?

Common cybersecurity best practices are your safest bet, and that means a proactive approach on a few fronts. Ensuring your backups are running the way they should is a good place to start. However, this strain of GoldenEye makes it uniquely difficult to restore your data even from a backup, because it is corrupting Master Boot Records. This leaves training against social engineering, having a cutting edge digital security suite (antivirus, firewall, DNS guardian) in place and properly maintained, and running a system for ensuring regular software and OS security updates.

Information gathering still hasn’t determined the exact method(s) for initial distribution of this infection. An overwhelming amount of recent similar attacks started with social engineering (users will always be the weakest link in your digital armor), but there is evidence that a hacked/false accounting software update was used in this case as well. There’s also indication that some malicious Word documents are being used. Therefore, multiple fronts need to be proactively maintained if a business is to remain secure from these types of attacks. Acting after the attack, if there even is an action to take, is too late.

I’ll take this time to point out that this is a lot for a lonely “tech guy” to handle in a business with more than a couple users. If you are serious about avoiding crippling data loss as a small to medium or larger business, you need a team that can maintain your security around the clock. Criminals don’t take vacations. Neither can your IT security. There are many managed service providers that are built to handle this very type of event (CisCom Solutions being my natural recommendation!).

If you would like to know more about this attack or how to ensure your business is proactively prepared, reach out to the friendly staff at CisCom for that and more! Oh, and for goodness sake, patch your software, friends!

Be sure to like, follow, and share this article to stay aware and make your friends and colleagues aware of this and many other important topics CisCom Solutions shares.