New information continues to emerge about how the GoldenEye ransomware campaign operates, who it's affected, and why it was conducted.
The campaign revolves around a member of the GoldenEye ransomware family called Petya. Bitdefender, the Romanian security company that discovered the attack, said yesterday that it didn't know how the ransomware spread. Now the company has said that at least some of the infections resulted from a compromised update to the MeDOC accounting software. MeDOC is popular in Ukraine, which explains why the country was "patient zero" in this attack and why so many Ukrainian businesses and government organizations were affected by the ransomware.
Microsoft confirmed that the GoldenEye / Petya ransomware campaign started in the Ukraine. The company said more than 12,500 machines encountered the threat there before it spread to more than 64 other countries--Russia, Germany, and the U.S. among them. WVVA and CBS Pittsburgh reported that the Princeton Community Hospital and the Heritage Valley Health System were both affected by the attack. Other victims include several banks, Ukraine's Ukrenergo power distributor, and Chernobyl's radiation monitoring system, among others.
Petya differs from other ransomware in that it doesn't just encrypt individual files. It also encrypts NTFS libraries and forces affected systems to reboot. Short of removing power from a device before the encryption takes place, there's currently no way to recover files affected by the ransomware. Even paying the ransom won't work--Posteo, the email service GoldenEye / Petya's conductors used for ransom payments, suspended the account associated with the attack. That means there's no way for the attackers to give you the decryption key if you pay up.
Bitdefender said that using a service like Posteo made it seem like these attackers were more interested in disruption than profit:
- The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
- The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
- There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.
Bitdefender and Microsoft have both responded to the attack with security updates. Bitdefender's software prevents the Petya ransomware from being installed, and Microsoft said that it "released cloud-delivered protection updates and made updates to our signature definition packages" after it detected the attack. That should help limit the campaign's spread. Then again, the same is true of the patches Microsoft has released over the last few months, all of which are supposed to protect everything from Windows XP to Windows 10 from ransomware campaigns like this one.
Both companies have said that Petya spreads via the same EternalBlue exploit as the WannaCry ransomware campaign that happened in May. Microsoft previously blamed the NSA for the attack--which the NSA in turn blamed on North Korea--because EternalBlue is believed to have originated with the agency. It was then leaked by the Shadow Brokers, and now it's been used to facilitate two global attacks that have affected hospitals, banks, power companies, and other critical organizations. We wouldn't be surprised if the exploit is used in a similar attack later on.