Our internal telemetry shows that some infections with #GoldenEye have been triggered by the compromised update of the MeDOC accounting software. A number of our customers in Ukraine where our solutions intercepted the attack clearly show explorer.exe starting up ezvit.exe (the accounting app binary) which in turn execute rundll32.exe with the ransomware’s DLL as parameter.
Bottom line, we can confirm the MeDOC update as an infection vector. This makes Ukraine “patient zero” from where the infection spread across VPN networks to headquarters or satellite offices.
We strongly advise all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.
In addition to the MeDOC update, there are some other infection vectors that we are investigating as we write these lines.
Update 6/28 08.00 GMT+3
There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction.
- The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
- The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
- There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.
Update 6/28 06.00 GMT+3
The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made overnight will be unable to get validated, and therefore will surely not receive the decryption key. Not that we have ever advised otherwise, but if you’re planning to pay the ransom, stop now. You’ll lose your data anyway, but you’ll contribute in funding the development of new malware. Even so, there have been 15 payments made after the suspension of the e-mail address. The wallet now totals 3.64053686 BTC out of 40 payments, with a net worth of $US 9,000.
Update 21.30 GMT+3
Several voices in the industry have speculated that the initial attack vector was a compromised update of the M.E. Doc accounting software utility that all breached companies were using. We have confirmed breaches in companies that did not use the respective software solution. Also, in a Facebook post on the company’s page, the vendor denies the allegations [Ukrainian].
Update 20.18 GMT+3
Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.
Update 18.45 GMT+3
GoldenEye /Petya operators have already received 13 payments in almost two hours. That is $3.5K USD worth in digital currency.
Update 18.30 GMT+3
Bitdefender Labs confirms that the GoldenEye / Petya ransomware leverages the EternalBlue exploit to spread from one computer to another. Additional exploits are also used to propagate. Details coming soon.
Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.
Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
Bitdefender blocks the currently known samples of the new GoldenEye variant. If you are running a Bitdefender security solution for consumer or business, your computers are not in danger.