GoldenEye ransomware attack – expert comments
By now you’ve likely heard about the GoldenEye ransomware attack, identified as a strain of the Petya ransomware, initially making its way throughout Europe and spanning the globe within hours. Many major businesses and utilities have already reported attacks/infections including Ukraine’s central bank, Ukraine’s Ukrenego electricity supplier, the Chernobyl nuclear power plant, and airport and metro services throughout the UK, US-based pharmaceutical company Merck and multinational law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, and Russia’s biggest oil company, Rosneft, with more expected to come. Romania, the Netherlands, Norway, and Britain have supposedly been hit as well.
Eldon Sprickerhoff, founder and chief security strategist at cyber security firm eSentire, says, “GoldenEye is a particularly virulent strain of the Petya ransomware that leverages the bones of Petya, but course-corrects weak spots in the original Petya strain. Like its predecessor, GoldenEye makes decryption very difficult. Creators improved the effectiveness of the strain by leveraging exploits associated with WannaCry. Early indicators show that companies who failed to update system patches are most susceptible. Businesses relying solely on anti-virus will also face increased risk, as most AV systems will be incapable of detecting GoldenEye - new hashes are emerging quickly, which means AV will have difficulty keeping up."
Eldon added, “Our threat intelligence team has seen at least three different ransomware flavors emerge recently: the rapid deletion of files, exfiltration of data, and a new variant which works to lock down passwords before encryption, making backup restoration particularly tricky. GoldenEye, in particular, amplifies the rapid evolution of ransomware. Attacks are becoming more widespread, are moving faster, and are harder to kill. Businesses worldwide should treat this attack as an early warning: take this as an opportunity to ensure that backups and system patches are up-to-date, and tested. Ransomware is not going away; attacks like this will increase in frequency and sophistication.”
As usual, initial suspicions point to Russia, but Mark McArdle, eSentire CTO says attribution of attacks is very difficult. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgement. It’s never been more important to have visibility into the unusual activities going on in a company’s network and have the ability to investigate and respond. This is what research firm Gartner calls ‘Managed Detection and Response (MDR)’ – an effective way of keeping small breaches from turning into headline-making hacks."