According to Bitdefender Labs:
“Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples.
Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.”
The latest information states that thirteen payments have already been made to the creators of the software with many more expected.
In an update to the original blog post, Bitdefender has released several of the organizations that have been impacted.
“Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.”
What can be done to prevent GoldenEye/Petya? ZDNet security editor Zack Whittaker says that ensuring all systems are updated and patched is critical but may not help this time.
“There’s some conflicting reports that even backed-up computers may be affected,” he stated. “We’ll see what happens in the next few hours as we have more information.”
One of the best tools that we implement for our clients at Andrews And Associates to prevent this type of an attack is the SonicWall Firewall. Our clients with a SonicWall Firewall in place that are using Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection were protected from the WannaCry ransomware outbreak.