Ransomware strikes again - shaken, not stirred!

Dr Irving Hofman

I am flabbergasted that 6 weeks after the high-profile WannaCry attack that crippled the NHS in the UK, that major corporations around the world are still falling victim to ransomware. A new variant called GoldenEye (NotPetya) is currently doing the rounds. It's much more dangerous than its predecessor.

Only two things are infinite, the universe and human stupidity, and I'm not sure about the former -- Albert Einstein

Merck Pharmaceuticals is one of the high profile companies affected. It has a market capitalisation of US$179 billion dollars. They can certainly afford to have best-practice IT security systems. Obviously they don't. Why not?

GoldenEye is even more malicious than WannaCry. Not only does it encrypt your important files, it also encrypts the entire file system. This renders the entire computer unusable until the ransom is paid. The only problem is that paying the ransom won't help in this case because the service provider of the email account used to provide decryption keys has been shut down. If you don't have bare metal backups of infected computers, there is no recovery from this one.

GoldenEye also possesses some very clever mechanisms for spreading. It extracts passwords from memory and the local file system and then attempts to uses some standard Windows tools (PSEXEC and WMI) to spread to other systems. Even if these other systems are fully patched, they still become infected.

The name GoldenEye is quite befitting. In the James Bond movie baring that name, it referred to a satellite weapon that was used to maliciously cause destruction and monetary theft (Petya was the name of one of the satellites). That's exactly what this ransomware does.

From what I can ascertain at this stage, there was a ransomware called GoldenEye released back in December 2016. This appears to be a new variant with a self replicating mechanism, which was missing from the original version.

Protecting IT systems from ransomware isn't rocket science. It merely relies on implementing known best-practices. IT service providers are all well aware of these threats and the systems available to provide protection. What is everyone waiting for? Implement them!

UPDATE: 1:25PM - Someone has found a way to prevent infection. All you need to do is create a file in C:\Windows called "perfc" with no extension and make it read only. This will protect you from the WMI/PSEXEC attack vector. (https://twitter.com/0xAmit/sta...)

For more technical details, refer to these links:

Want more information?