The GoldenEye ransomware had a brief life, operating only in December 2016. As a result, this ransomware virus is not very well known. However, it is a version of a very well-known ransomware group called Petya
The original Petya surfaced in March 2016. It went through four versions in quick succession, and GoldenEye was the last of those. The Petya ransomware system originated in Russia, and the GoldenEye version specifically targeted German businesses.
What is distinctive about GoldenEye?
The GoldenEye ransomware is a combination of two attack strategies. First, two viruses get downloaded together. These are called Mischa and Petya. Second, like all ransomware, these viruses encrypt data and then demand a payment to get the decryption key.
Petya was groundbreaking at the time because it doesn’t encrypt files; it encrypts the file system. This strategy makes encryption impossible to circumvent.
Their owners do not launch Petya and GoldenEye attacks. Instead, these systems are made available to others in a Ransomware-as-a-Service format. So, the many targeted attacks were commanded by many different people.
Petya was first released for a limited customer base in a Beta version. This was called Red Petya because its logo and ransom note showed on a red background. Unfortunately, Petya wasn’t so successful because it required Administrator privileges to get down to the operating system and perform its encryption.
When the system went into general release, the developers improved the design and changed its color theme, making it Green Petya. Unfortunately,this version introduced Mischa, which works like a traditional ransomware attacker by encrypting files. The Petya system now tried its low-level attack, and if it couldn’t get the Administrator level, it launched Mischa.
An intermediate release, version 2.5, fix bugs in the ransomware. This was still running as Green Petya. As the fourth version of Petya, release 3.0, GoldenEye was the perfected system. GoldenEye launches both Mischa and Petya, with Mischa running first. So, this is a double encryption system. Marking the change from Green Petya, the livery of GoldenEye is yellow and black.
Where does GoldenEye ransomware come from?
The creators of GoldenEye are called Janus Cybercrime Solutions. This is not one of the big state-sponsored hacker groups. However, clues in its imagery, branding and naming conventions point to the group being based in Russia.
Janus Cybercrime Solutions ran a Twitter account under the name Janus Secretary. The account was active during 2016 And 2017, but there have been no recent posts on the profile.
What does GoldenEye mean?
If you are a Bond fan, you have probably seen the movie GoldenEye. This is the inspiration for the name of GoldenEye ransomware. The hacker group itself takes its name from the movie as well.
In GoldenEye, a Russian crime organization called the Janus Syndicate takes advantage of the chaos during the collapse of the Soviet Union by hacking into the control system for two Soviet satellites. These Satellites are called Petya and Mischa. Then, they launch an electromagnetic pulse weapon called GoldenEye.
The Russian hacker group took the name of Janus and used the name of one of the satellites, Petya, for its ransomware. When they needed another name for their second virus, Mischa was available. However, there were only two satellites in the movie, so when the hackers were looking for a third name, they resorted to the film’s title.
The fact that the hackers identify so closely with this fictional crime syndicate indicates that they are Russian.
Successors to GoldenEye
The fame of the Petya series of ransomware is due to the actions of other hackers after Janus Cybercrime Solutions dropped their RaaS service at the end of 2016. Several other hacker groups scraped the code for the GoldenEye ransomware and integrated it into their ransomware. Petya had a good reputation because of its groundbreaking strategy. So, it had its imitators.
The notable copycats of GoldenEye ransomware and the original Petya are:
- PetrWrap – A derivative of Green Petya that uses its intrusion mechanism.
- Santana – A system with all the hallmarks of a test version and a copy of GoldenEye.
- Petya+ – This is an impersonator of Petya rather than a copy. It locks the screen and puts up a ransom demand, headed with the name Petya but doesn’t perform any encryption.
- NotPetya – This is the most destructive version of Petya that made the whole series famous. The Sandworm hacker group wrote it on a commission from the GRU – Russia’s military intelligence service. This ransomware is also known as EternalPetya and ExPetr.
Although none of the versions of Petya were used for benign purposes, NotPetya is the trustworthy source of accusations about the Petya system. That ransomware is not truly part of the Petya cycle, as the GoldenEye ransomware is.
The NotPetya system was identified as a weapon used by the Russian government in June 2017 to seriously weaken Ukraine and assist Donbas separatists in gaining the upper hand in their fight for independence.
While 80 percent of all NotPetya attacks occurred in Ukraine, businesses in other countries were also hit. Despite having similarities with GoldenEye, NotPetya is not, in fact, ransomware. It simply overwrites the Master Boot Record, and it has no mechanism to reverse that damage – it is a wiper.
How does GoldenEye ransomware work?
GoldenEye had a very short life. Its first attacks were launched on the 5th December 2016, and its campaign did not outlast the year. While all of the previous versions of Petya communicated in English, GoldenEye wrote to targets in perfect German. It was a bespoke edition of a system that was offered as a Ransomware-as-a-Service system. Strangely, the Janus group should choose just to target Germany. It is possible that GoldenEye was custom built for a major client of the Petya RaaS platform.
The invasion routine of a GoldenEye attack started with research. Each target was a business advertising a vacancy. The targeting email was sent in response to an advert, so GoldenEye was not used for bulk mail-outs. The emails always came from Rolf Drescher. This was a dig at a German cybersecurity consultancy Dipl.- Ing. Rolf B. Drescher VDI & Partner that offered Petya mitigation services.
The email sent to targets had two attachments – a resume in PDF format and an XLS file. The XLS file contains the installer for GoldenEye implemented as macros, which would trigger when the file was opened.
The macros opened up a connection to a remote server, downloaded the code for Mischa, and then executed it. The installed then copied down and ran the low-level Petya code. GoldenEye had perfected Petya and overcome the block on systems that removed the requirement for the user account to have Administrator rights to get down to the operating system.
On starting, GoldenEye crashed the PC and restarted it. The user was then shown a fake CHKDSK screen, which was written in English. This showed a progress bar, seemingly to show the advancement of the check. However, this fronted the encryption process.
GoldenEye exploited a loophole in the Windows operating system to overwrite the Master Boot Record (MBR), disable the Safe Mode startup option, and then encrypt the Master File Table (MFT). The GoldenEye system uses RSA and AES encryption ciphers for its Mischa phase and Salsa20 encryption for its Petya processes.
When the MFT encryption process completes, the PC shows the GoldenEye logo, a skull, and cross-bones composed of text characters. The ransomware then showed its ransom instructions.
To recover from this attack, the user was instructed to install the Tor browser, surf to a specific website, and enter a unique ID. This website then gave the victim instruction on how to pay the ransom in Bitcoin. Once the payment had been made, the user was given a decryption key for the MFT locker and a decryptor utility to reverse the Mischa encryption.
Unlike some ransomware systems, the decryption routine worked well, and those targets that paid the ransom were able to recover fully.
Here is our list of the best ransomware protection packages that can block GoldenEye:
- CrowdStrike Falcon Insight EDITOR’S CHOICE This system-wide endpoint detection and response package combines an on-device antivirus and threat-hunting package with a cloud-based SIEM system that coordinates the defense of all endpoints. The endpoint agent runs on Windows, macOS, and Linux.
- ManageEngine DataSecurity Plus This on-premises package includes many data protection measures and the strongest protection against ransomware is provided by file integrity monitoring. Runs on Windows Server.
- BitDefender GravityZone Get both an antivirus system and a backup service with this package that even scans files for viruses on the way in and out of the backup repository. Installs on Windows, macOS, iOS, and Android.
You can read more about each of these options in the following sections.
The best tools to protect against GoldenEye ransomware
The best protection against the GoldenEye ransomware is to educate users against opening attachments or following links in emails. You also need to regularly back up all devices on your system separately to avoid a virus infecting the backup files for your entire system on uploading from one endpoint.
There are some excellent tools available to protect against GoldenEye and all other ransomware attacks. Here are three.
Our methodology for selecting ransomware protection
We reviewed the market for system protection packages that block ransomware, such as GoldenEye, and analyzed the options based on the following criteria:
- A backup system to enable encrypted data to be restored
- Extensive antimalware systems
- File integrity monitoring to identify and block unauthorized file encryption processes
- Application whitelisting to prevent unauthorized programs from running
- System-wide monitoring to spot the first endpoint that gets hit and protect the rest
- A free trial or a demo system to enable an assessment before buying
- Value for money from a ransomware protection package that is offered at a reasonable price
CrowdStrike Falcon Insight is an endpoint detection and response system that includes resident modules on each endpoint plus a cloud-based module. While the endpoint modules provide constant protection for each device, the cloud service keeps all efforts coordinated and provides the processing power for the whole system.
- Autonomous protection for endpoints
- Local threat hunting
- Centralized data pooling
- Centralized threat hunting
- Endpoint hardening
Why do we recommend it?
CrowdStrike Falcon Insight is a multi-level defense system. Local units installed on each endpoint provide immediate detection and response while a cloud SIEM mines activity data that those endpoint systems upload. This strategy provides anomaly detection on the device to stop unusual activities and a company-wide intelligence feed to block lateral movement.
This tool is perfect for defense against GoldenEye ransomware and all other malware because CrowdStrike has a research team that spots new malware quickly and tracks its development.
The device agent is also available as a standalone next-generation antivirus service. This is called CrowdStrike Falcon Prevent. By monitoring all of the installations of Falcon Prevent, the Falcon Insight system can quickly track all activity on the entire system.
The Falcon Insight service shares attack intelligence between all clients of the system. This means that as soon as one client experiences an attack from new malware, all other clients’ instances get notified. It isn’t possible to plan malware templates, such as ransomware, because there will always be new variants. The critical work is to detect unusual activity and block that device to prevent the infection from spreading. This is the “response” part of the Insight system.
Who is it recommended for?
The CrowdStrike system is very scaleable because you just need to install the AV on another endpoint to get that device covered by the entire Insight package. The system can be set up to implement automated responses. However, it is quite expensive, so it wouldn’t be the choice of small businesses.
You can get a 15-day free trial of Falcon Prevent.
CrowdStrike Falcon Insight is our top pick for a ransomware protection system because it stops lateral movement from infecting your entire business. This tool provides on-device antimalware that works on an anomaly detection basis. This means that even if a brand new strain of ransomware hits one of your computers before anywhere else in the world, the CrowdStrike system will still be able to spot its malicious intent and block it. The endpoint protection is able to continue operating even if the device is disconnected from the network. A central data gatherer and threat hunter communicates the experiences of the one infected device to all of the other computers on the network so that they can guard against the ransomware.
OS: Cloud, Windows, macOS, and Linux
ManageEngine DataSecurity Plus focuses on monitoring file integrity. It is an excellent system to choose if you follow a data privacy security standard, such as PCI DSS, HIPAA, or GDPR. It is also a very suitable system for protection against GoldenEye ransomware and other malware that touches files.
- File integrity monitoring
- Blocks encryption attempts
- Sensitive data protection
- Compliance with HIPAA, PCI DSS, and GDPR
Why do we recommend it?
ManageEngine DataSecurity Plus is a package of data loss prevention systems to protect sensitive data. The functions in the package are also ideal for combatting ransomware, such as GoldenEye and Petya. The system spots the early phases of ransomware before encryption begins. The damaging actions can be blocked and reversed.
This is on-premises software that focuses on defending Windows, the prime target of GoldenEye ransomware. The software for this service runs on Windows Server.
The DataSecurity Plus system tracks all file activity. You can choose how the system reacts when it detects unauthorized file changes. It will send out an alert to notify you of unusual activity. Still, you can also specify automated responses, such as cutting the device off from the network, shutting it down, or logging the user off.
Who is it recommended for?
This package is actually a bundle of four tools and each is priced individually. So, you could save money by assessing each unit and deciding whether it meets your requirements. The package doesn’t include a backup service, so you might need to add that for full ransomware protection.
ManageEngine DataSecurity Plus is available for a 30-day free trial.
BitDefender GravityZone offers many points of protection against the GoldenEye ransomware and other types of malware. This is a complete security package the protects endpoints and networks and scans for viruses at every location.
- Backup and recovery
- Backup repository protection
Why do we recommend it?
BitDefender GravityZone provides the perfect combination of services to protect against ransomware. That is, an anti-malware system and a backup and recovery service. The AV will spot and block ransomware as it executes and it doesn’t matter if some files have already been damaged because you can just delete them are replace them.
GravityZone includes a backup management system as well as endpoint antivirus protection. This means that ransomware is spotted as soon as it downloads onto an endpoint, but if, in the future, new ransomware can bypass AV checks, it will be spotted before it is uploaded to backup servers. Gravity Zone also manages to restore actions and makes further virus checks during that phase.
The GravityZone system also includes file integrity management, configuration management, vulnerability scanning, and automated patching. These are all essential tools for guarding against ransomware. In addition, with this suite of services, users have immediate protection, system hardening, system restore functions, and file monitoring, which are all tools that you need to protect against GoldenEye ransomware.
Who is it recommended for?
BitDefender produces GravityZone in many editions, each of which is suitable for a different market. There are editions for individuals, home offices, small businesses, large, multi-site organizations, and managed service providers. There isn’t a free edition but all of the versions are reasonably priced.
GravityZone runs as a virtual appliance, and it is available for a one-month free trial.