Actu
GoldenEye ransomware attack – expert comments
June 2017 by Eldon Sprickerhoff, founder and chief security strategist at eSentire
By now you’ve likely heard about the GoldenEye ransomware attack, identified as a
strain of the Petya ransomware, initially making its way throughout Europe and
spanning the globe within hours. Many major businesses and utilities have already
reported attacks/infections including Ukraine’s central bank, Ukraine’s Ukrenego
electricity supplier, the Chernobyl nuclear power plant, and airport and metro
services throughout the UK, US-based pharmaceutical company Merck and multinational
law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, and Russia’s
biggest oil company, Rosneft, with more expected to come. Romania, the Netherlands,
Norway, and Britain have supposedly been hit as well.
Eldon Sprickerhoff, founder and chief security strategist at cyber security firm
eSentire, says, “GoldenEye is a particularly virulent strain of the Petya
ransomware that leverages the bones of Petya, but course-corrects weak spots in the
original Petya strain. Like its predecessor, GoldenEye makes decryption very
difficult. Creators improved the effectiveness of the strain by leveraging exploits
associated with WannaCry. Early indicators show that companies who failed to update
system patches are most susceptible. Businesses relying solely on anti-virus will
also face increased risk, as most AV systems will be incapable of detecting
GoldenEye - new hashes are emerging quickly, which means AV will have difficulty
keeping up."
Eldon added, “Our threat intelligence team has seen at least three different
ransomware flavors emerge recently: the rapid deletion of files, exfiltration of
data, and a new variant which works to lock down passwords before encryption, making
backup restoration particularly tricky. GoldenEye, in particular, amplifies the
rapid evolution of ransomware. Attacks are becoming more widespread, are moving
faster, and are harder to kill. Businesses worldwide should treat this attack as an
early warning: take this as an opportunity to ensure that backups and system patches
are up-to-date, and tested. Ransomware is not going away; attacks like this will
increase in frequency and sophistication.”
As usual, initial suspicions point to Russia, but Mark McArdle, eSentire CTO says
attribution of attacks is very difficult. “Finding irrefutable evidence that links
an attacker to an attack is virtually unattainable, so everything boils down to
assumptions and judgement. It’s never been more important to have visibility into
the unusual activities going on in a company’s network and have the ability to
investigate and respond. This is what research firm Gartner calls ‘Managed
Detection and Response (MDR)’ – an effective way of keeping small breaches from
turning into headline-making hacks."
