X

New 'GoldenEye/Petya' Ransomware Quickly Spreading Worldwide

Ransomware is in the news again, this time in the form of software called Petya, along with a variant of the thereof known as GoldenEye, and it is hitting mission-critical operations worldwide. Thus far, major targets like radiation monitoring systems at Chernobyl, the Kiev metro, and no small amount of banks have been affected. Much like the WannaCry ransomware that hit earlier in the year, Petya is taking Europe in a quick manner, though reports of attacks are coming in from all over. Petya uses the same EternalBlue exploit that WannaCry used, created by the United States’ National Security Administration and subsequently leaked online. The key difference is that while WannaCry could only impact computers that it could crack with EternalBlue, which has been patched up in newer versions of Windows and was never even an issue in Linux or MacOS, Petya can affect almost all x86 machine on the same network as a compromised system. This means that ARM devices are safe for certain, and some reports are saying that Linux machines on affected networks are safe.

With anything running an Intel processor and being on the same network as an older Windows machine being fair game, Petya has already managed to wreak havoc on a scale comparable to WannaCry despite the former serving as a wake-up call of sorts. Many businesses’ core systems are still running on older versions of Windows, and any systems on the same networks can be infected thanks to Petya’s use of a few extra exploits and layers of encryption. Where WannaCry would allow a computer to run but would encrypt personal data, Petya hits critical system files and prevents live boot, requiring the computer to be entirely refreshed with a new OS in order to work again, unless the ransom is paid. This approach has proven to be somewhat profitable for people behind the ransomware, as reports indicate that the bitcoin wallet associated with them has roughly $9,000 in it right now. At $300 per computer, that would mean at least 30 users decided to pay out rather than lose their files. An email address that was also used has been shut down by its provider, and since then has received emails from compliant users that would total another $3,000 if the account was still in the hackers’ hands.

GoldenEye builds on Petya with a few nasty additions that make it harder to shake off. A computer hit with Petya is still live for a while as the virus does its work, giving users a chance to implement backups, try to save copies of encrypted files, or boot the computer up with a live Linux USB drive. GoldenEye, on the other hand, reboots the target computer as soon as the encryption is finished, and there are no possible workarounds that have been found to be helpful in getting the decryption key from the computer as of this writing. Both GoldenEye and Petya are still spreading aggressively right now, but many major antivirus programs and malware defense systems are actively blocking it.