GoldenEye Ransomware

The GoldenEye ransomware had a brief life, operating only in December 2016. As a result, this ransomware virus is not very well known. However, it is a version of a very well-known ransomware group called Petya

The original Petya surfaced in March 2016. It went through four versions in quick succession, and GoldenEye was the last of those. The Petya ransomware system originated in Russia, and the GoldenEye version specifically targeted German businesses.

What is distinctive about GoldenEye?

The GoldenEye ransomware is a combination of two attack strategies. First, two viruses get downloaded together. These are called Mischa and Petya. Second, like all ransomware, these viruses encrypt data and then demand a payment to get the decryption key.

Petya was groundbreaking at the time because it doesn’t encrypt files; it encrypts the file system. This strategy makes encryption impossible to circumvent.

Their owners do not launch Petya and GoldenEye attacks. Instead, these systems are made available to others in a Ransomware-as-a-Service format. So, the many targeted attacks were commanded by many different people.

Petya was first released for a limited customer base in a Beta version. This was called Red Petya because its logo and ransom note showed on a red background. Unfortunately, Petya wasn’t so successful because it required Administrator privileges to get down to the operating system and perform its encryption.

When the system went into general release, the developers improved the design and changed its color theme, making it Green Petya. Unfortunately,this version introduced Mischa, which works like a traditional ransomware attacker by encrypting files. The Petya system now tried its low-level attack, and if it couldn’t get the Administrator level, it launched Mischa.

An intermediate release, version 2.5, fix bugs in the ransomware. This was still running as Green Petya. As the fourth version of Petya, release 3.0, GoldenEye was the perfected system. GoldenEye launches both Mischa and Petya, with Mischa running first. So, this is a double encryption system. Marking the change from Green Petya, the livery of GoldenEye is yellow and black.

Where does GoldenEye ransomware come from?

The creators of GoldenEye are called Janus Cybercrime Solutions. This is not one of the big state-sponsored hacker groups. However, clues in its imagery, branding and naming conventions point to the group being based in Russia.

Janus Cybercrime Solutions ran a Twitter account under the name Janus Secretary. The account was active during 2016 And 2017, but there have been no recent posts on the profile.

What does GoldenEye mean?

If you are a Bond fan, you have probably seen the movie GoldenEye. This is the inspiration for the name of GoldenEye ransomware. The hacker group itself takes its name from the movie as well.

In GoldenEye, a Russian crime organization called the Janus Syndicate takes advantage of the chaos during the collapse of the Soviet Union by hacking into the control system for two Soviet satellites. These Satellites are called Petya and Mischa. Then, they launch an electromagnetic pulse weapon called GoldenEye.

The Russian hacker group took the name of Janus and used the name of one of the satellites, Petya, for its ransomware. When they needed another name for their second virus, Mischa was available. However, there were only two satellites in the movie, so when the hackers were looking for a third name, they resorted to the film’s title.

The fact that the hackers identify so closely with this fictional crime syndicate indicates that they are Russian.

Successors to GoldenEye

The fame of the Petya series of ransomware is due to the actions of other hackers after Janus Cybercrime Solutions dropped their RaaS service at the end of 2016. Several other hacker groups scraped the code for the GoldenEye ransomware and integrated it into their ransomware. Petya had a good reputation because of its groundbreaking strategy. So, it had its imitators.

The notable copycats of GoldenEye ransomware and the original Petya are:

  • PetrWrap – A derivative of Green Petya that uses its intrusion mechanism.
  • Santana – A system with all the hallmarks of a test version and a copy of GoldenEye.
  • Petya+ – This is an impersonator of Petya rather than a copy.  It locks the screen and puts up a ransom demand, headed with the name Petya but doesn’t perform any encryption.
  • NotPetya – This is the most destructive version of Petya that made the whole series famous. The Sandworm hacker group wrote it on a commission from the GRU – Russia’s military intelligence service. This ransomware is also known as EternalPetya and ExPetr.

Although none of the versions of Petya were used for benign purposes, NotPetya is the trustworthy source of accusations about the Petya system. That ransomware is not truly part of the Petya cycle, as the GoldenEye ransomware is.

The NotPetya system was identified as a weapon used by the Russian government in June 2017 to seriously weaken Ukraine and assist Donbas separatists in gaining the upper hand in their fight for independence.

While 80 percent of all NotPetya attacks occurred in Ukraine, businesses in other countries were also hit. Despite having similarities with GoldenEye, NotPetya is not, in fact, ransomware. It simply overwrites the Master Boot Record, and it has no mechanism to reverse that damage – it is a wiper.

How does GoldenEye ransomware work?

GoldenEye had a very short life. Its first attacks were launched on the 5th December 2016, and its campaign did not outlast the year. While all of the previous versions of Petya communicated in English, GoldenEye wrote to targets in perfect German. It was a bespoke edition of a system that was offered as a Ransomware-as-a-Service system. Strangely, the Janus group should choose just to target Germany. It is possible that GoldenEye was custom built for a major client of the Petya RaaS platform.

The invasion routine of a GoldenEye attack started with research. Each target was a business advertising a vacancy. The targeting email was sent in response to an advert, so GoldenEye was not used for bulk mail-outs. The emails always came from Rolf Drescher. This was a dig at a German cybersecurity consultancy Dipl.- Ing. Rolf B. Drescher VDI & Partner that offered Petya mitigation services.

The email sent to targets had two attachments – a resume in PDF format and an XLS file. The XLS file contains the installer for GoldenEye implemented as macros, which would trigger when the file was opened.

The macros opened up a connection to a remote server, downloaded the code for Mischa, and then executed it. The installed then copied down and ran the low-level Petya code. GoldenEye had perfected Petya and overcome the block on systems that removed the requirement for the user account to have Administrator rights to get down to the operating system.

On starting, GoldenEye crashed the PC and restarted it. The user was then shown a fake CHKDSK screen, which was written in English. This showed a progress bar, seemingly to show the advancement of the check. However, this fronted the encryption process.

GoldenEye exploited a loophole in the Windows operating system to overwrite the Master Boot Record (MBR), disable the Safe Mode startup option, and then encrypt the Master File Table (MFT). The GoldenEye system uses RSA and AES encryption ciphers for its Mischa phase and Salsa20 encryption for its Petya processes.

When the MFT encryption process completes, the PC shows the GoldenEye logo, a skull, and cross-bones composed of text characters. The ransomware then showed its ransom instructions.

To recover from this attack, the user was instructed to install the Tor browser, surf to a specific website, and enter a unique ID. This website then gave the victim instruction on how to pay the ransom in Bitcoin. Once the payment had been made, the user was given a decryption key for the MFT locker and a decryptor utility to reverse the Mischa encryption.

Unlike some ransomware systems, the decryption routine worked well, and those targets that paid the ransom were able to recover fully.

Here is our list of the best ransomware protection packages that can block GoldenEye:

  1. ManageEngine Vulnerability Manager Plus (EDITOR’S CHOICE) This service implements the best way to guard against GoldenEye and other ransomware in the Petya group, which is to keep Windows fully patched. The service will also check for misconfigurations that could provide an entry point for other ransomware. Runs on Windows Server. Get a 30-day free trial.
  2. CrowdStrike Falcon Insight This system-wide endpoint detection and response package combines an on-device antivirus and threat-hunting package with a cloud-based SIEM system that coordinates the defense of all endpoints. The endpoint agent runs on Windows, macOS, and Linux.
  3. ManageEngine DataSecurity Plus This on-premises package includes many data protection measures and the strongest protection against ransomware is provided by file integrity monitoring. Runs on Windows Server.
  4. BitDefender GravityZone Get both an antivirus system and a backup service with this package that even scans files for viruses on the way in and out of the backup repository. Installs on Windows, macOS, iOS, and Android.

You can read more about each of these options in the following sections.

The best tools to protect against GoldenEye ransomware

The best protection against the GoldenEye ransomware is to educate users against opening attachments or following links in emails. You also need to regularly back up all devices on your system separately to avoid a virus infecting the backup files for your entire system on uploading from one endpoint.

There are some excellent tools available to protect against GoldenEye and all other ransomware attacks. Here are three.

Our methodology for selecting ransomware protection

We reviewed the market for system protection packages that block ransomware, such as GoldenEye, and analyzed the options based on the following criteria:

  • A backup system to enable encrypted data to be restored
  • Extensive antimalware systems
  • File integrity monitoring to identify and block unauthorized file encryption processes
  • Application whitelisting to prevent unauthorized programs from running
  • System-wide monitoring to spot the first endpoint that gets hit and protect the rest
  • A free trial or a demo system to enable an assessment before buying
  • Value for money from a ransomware protection package that is offered at a reasonable price

1. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

ManageEngine Vulnerability Manager Plus Patches

ManageEngine Vulnerability Manager Plus includes a patch manager that can update Windows, Windows Server, macOS, Linux, and third-party software packages. GoldenEye and all of the Petya group of ransomware exploits a weakness in Windows and Windows Server. However, a fix for this problem has been in place in all versions of Windows that were shipped after June 2017. So, the danger that your system is exposed to this threat is very slight. Nonetheless, it is advisable that you keep all of your OSs and software up to date and that is part of the remit of Vulnerability Manager Plus.

Key Features:

  • Automatic software inventory creation
  • Patch availability reports
  • Automated patch application
  • A central repository of verified patches
  • Configuration assessments

Why do we recommend it?

ManageEngine Vulnerability Manager Plus provides preventative security scanning for IT systems. The tool looks at configuration errors and out of date software that can be exploited by intuders and malware. These security weaknesses are also susceptible to ransomware and so they need to be resolved quickly. Patching is included in this package.

This package is able to scan and patch endpoints running Windows, macOS, and Linux. ManageEngine maintains a library of patches that includes updates for software as well as for OSs. These installers are all pre-assessed and verified. The library gives each implementation of Vulnerability Manager Plus one location to visit to get a patch availability report and download installers.

Patching is only part of the capabilities of Vulnerability Manager Plus. The foundation of the package is its discovery routine. This logs all endpoints in a hardware inventory. The service installs an agent on each device and that scans for software, creating a software inventory.

The service scans each endpoint looking for configuration errors. That means it looks at the settings of the operating system and also of all software packages. Issues that the service looks for include open ports and default credentials. The system performs more checks for Windows than for macOS or Linux. However, that is a good strategy for ransomware protection because Windows is the most attacked operating system.

Who is it recommended for?

Any business would benefit from Vulnerability Manager Plus. The service is able to spot zero-day vulnerabilities, so it isn’t reliant on some security provider having already identified a bug. The package includes a patch manager to fix out of date software and there is a Free edition for small businesses.

Pros:

  • Asset discovery creatures and maintains hardware and software inventories
  • Produces vulnerability reports
  • Recommendations for configuration adjustments
  • Compliance management following the CIS benchmark
  • A central library of verified patches.

Cons:

  • Provides fewer vulnerability checks for macOS and Linux than for Windows

ManageEngine Produces three editions of Vulnerability Manager Plus. The Professional edition is suitable for managing endpoints on a LAN and the Enterprise edition looks after multiple sites from one location. There is a Free edition that provides all of the utilities of the Professional version but is limited to watching over 25 endpoints. You can get a 30-day free trial of Vulnerability Manager Plus Professional edition.

EDITOR'S CHOICE

ManageEngine Vulnerability Manager Plus is our top pick for protection against GoldenEye and other ransomware because this system hardens your IT assets against any type of attack, including ransomware infection. The service looks at device and software configurations and will automatically update software and OSs when patches become available. This system helps businesses protect on-premises assets, which are the most vulnerable to ransomware attacks. It has particularly extensive security checks for the Windows operating system.

Get 30 Day Free Trial: Manageengine.com/vulnerability-management

OS: Windows Server

2. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response system that includes resident modules on each endpoint plus a cloud-based module. While the endpoint modules provide constant protection for each device, the cloud service keeps all efforts coordinated and provides the processing power for the whole system.

Key Features:

  • Autonomous protection for endpoints
  • Local threat hunting
  • Centralized data pooling
  • Centralized threat hunting
  • Endpoint hardening

Why do we recommend it?

CrowdStrike Falcon Insight is a multi-level defense system. Local units installed on each endpoint provide immediate detection and response while a cloud SIEM mines activity data that those endpoint systems upload. This strategy provides anomaly detection on the device to stop unusual activities and a company-wide intelligence feed to block lateral movement.

This tool is perfect for defense against GoldenEye ransomware and all other malware because CrowdStrike has a research team that spots new malware quickly and tracks its development.

The device agent is also available as a standalone next-generation antivirus service. This is called CrowdStrike Falcon Prevent. By monitoring all of the installations of Falcon Prevent, the Falcon Insight system can quickly track all activity on the entire system.

The Falcon Insight service shares attack intelligence between all clients of the system. This means that as soon as one client experiences an attack from new malware, all other clients’ instances get notified. It isn’t possible to plan malware templates, such as ransomware, because there will always be new variants. The critical work is to detect unusual activity and block that device to prevent the infection from spreading. This is the “response” part of the Insight system.

Who is it recommended for?

The CrowdStrike system is very scaleable because you just need to install the AV on another endpoint to get that device covered by the entire Insight package. The system can be set up to implement automated responses. However, it is quite expensive, so it wouldn’t be the choice of small businesses.

Pros:

  • Cloud-Native Architecture: Falcon Insight operates on a cloud-native architecture, allowing for easy deployment and scalability.
  • Incident Response Capabilities: Falcon Insight includes incident response features that allow security teams to take immediate action when a threat is detected.
  • Threat Intelligence Integration: CrowdStrike incorporates threat intelligence feeds into its platform, enhancing the ability to identify and respond to emerging threats based on the latest information.
  • Behavioral Analysis: Falcon Insight employs behavioral analysis and machine learning to identify anomalous activities on endpoints, helping to detect sophisticated and evolving threats.

Cons:

  • Cost: CrowdStrike Falcon Insight may have a higher cost compared to some traditional endpoint security solutions. Organizations should carefully evaluate the pricing model and weigh it against the perceived value and security benefits.
  • Learning Curve: Some users may experience a learning curve when adopting Falcon Insight, particularly if they are transitioning from a different endpoint security solution. Training and onboarding may be necessary.
  • Limited Offline Functionality: Since Falcon Insight relies on cloud connectivity, its functionality may be limited in offline or isolated environments where internet access is restricted.

You can get a 15-day free trial of Falcon Prevent.

3. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus focuses on monitoring file integrity. It is an excellent system to choose if you follow a data privacy security standard, such as PCI DSS, HIPAA, or GDPR. It is also a very suitable system for protection against GoldenEye ransomware and other malware that touches files.

Key Features:

  • File integrity monitoring
  • Blocks encryption attempts
  • Sensitive data protection
  • Compliance with HIPAA, PCI DSS, and GDPR

Why do we recommend it?

ManageEngine DataSecurity Plus is a package of data loss prevention systems to protect sensitive data. The functions in the package are also ideal for combatting ransomware, such as GoldenEye and Petya. The system spots the early phases of ransomware before encryption begins. The damaging actions can be blocked and reversed.

This is on-premises software that focuses on defending Windows, the prime target of GoldenEye ransomware. The software for this service runs on Windows Server.

The DataSecurity Plus system tracks all file activity. You can choose how the system reacts when it detects unauthorized file changes. It will send out an alert to notify you of unusual activity. Still, you can also specify automated responses, such as cutting the device off from the network, shutting it down, or logging the user off.

Who is it recommended for?

This package is actually a bundle of four tools and each is priced individually. So, you could save money by assessing each unit and deciding whether it meets your requirements. The package doesn’t include a backup service, so you might need to add that for full ransomware protection.

Pros:

  • DataSecurity Plus offers real-time monitoring of user activities, which can help detect and respond to ransomware threats promptly.
  • Provides alerts and reports to help organizations detect potential ransomware threats and take immediate action.
  • Works alongside other security tools for a more comprehensive defense against ransomware.
  • The solution assists in discovering and classifying sensitive data, helping organizations protect critical information that may be targeted by ransomware.

Cons:

  • Depending on the size of the organization and the volume of data being monitored, the solution may require significant resources, both in terms of hardware and network bandwidth.
  • Like any security tool, the effectiveness of DataSecurity Plus is dependent on regular updates to address emerging ransomware threats and vulnerabilities.

ManageEngine DataSecurity Plus is available for a 30-day free trial.

4. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone offers many points of protection against the GoldenEye ransomware and other types of malware. This is a complete security package the protects endpoints and networks and scans for viruses at every location.

Key Features:

  • Antivirus
  • Backup and recovery
  • Backup repository protection

Why do we recommend it?

BitDefender GravityZone provides the perfect combination of services to protect against ransomware. That is, an anti-malware system and a backup and recovery service. The AV will spot and block ransomware as it executes and it doesn’t matter if some files have already been damaged because you can just delete them are replace them.

GravityZone includes a backup management system as well as endpoint antivirus protection. This means that ransomware is spotted as soon as it downloads onto an endpoint, but if, in the future, new ransomware can bypass AV checks, it will be spotted before it is uploaded to backup servers. Gravity Zone also manages to restore actions and makes further virus checks during that phase.

The GravityZone system also includes file integrity management, configuration management, vulnerability scanning, and automated patching. These are all essential tools for guarding against ransomware. In addition, with this suite of services, users have immediate protection, system hardening, system restore functions, and file monitoring, which are all tools that you need to protect against GoldenEye ransomware.

Who is it recommended for?

BitDefender produces GravityZone in many editions, each of which is suitable for a different market. There are editions for individuals, home offices, small businesses, large, multi-site organizations, and managed service providers. There isn’t a free edition but all of the versions are reasonably priced.

Pros:

  • The solution typically provides multi-layered security, combining various technologies such as antivirus, anti-malware, and heuristic analysis to enhance protection against ransomware.
  • GravityZone employs advanced threat detection mechanisms, including behavioral analysis and machine learning, to identify and block ransomware attacks.
  • GravityZone offers real-time response capabilities, enabling immediate actions when ransomware or other threats are detected.

Cons:

  • Deploying and configuring GravityZone may take some time, especially for organizations with complex network environments.
  • As with any security solution, there is a possibility of false positives, where legitimate applications or activities are incorrectly identified as malicious.
  • Deploying and configuring GravityZone may take some time, especially for organizations with complex network environments.
  • As with any security solution, there is a possibility of false positives, where legitimate applications or activities are incorrectly identified as malicious.

GravityZone runs as a virtual appliance, and it is available for a one-month free trial.