EternalBlue is the exploit that keeps on giving. A little over a month after WannaCry affected hundreds of thousands of devices around the world, the Bitdefender security company reported that a new "massive ransomware campaign" that revolves around a member of the GoldenEye ransomware family is "currently unfolding worldwide."
GoldenEye is particularly nasty because it's more thorough than other ransomware. Bitdefender said that in addition to encrypting individual files, GoldenEye also encrypts NTFS structures and "has a specialized routine that forcefully crashes the computer to trigger a reboot." There's currently no workaround--if your device is affected by GoldenEye, you'll either have to cough up the $300 ransom or bid farewell to that particular computer.
The Associated Press reported that GoldenEye has resulted in "serious intrusions at the Ukrainian power grid, banks, and government offices," as well as other places throughout Europe. Bitdefender said it doesn't yet know how GoldenEye is spreading, although it "presume[s] it to be carried by a wormable component," much like WannaCry did when it caused a similar panic in May. Bitdefender's security tools are said to block GoldenEye.
Of greatest concern is the discovery that GoldenEye relies on the same EternalBlue exploit as WannaCry. That exploit is believed to have been discovered by the NSA and, later, made public by the Shadow Brokers hacking group. EternalBlue affects every version of Windows between Windows XP and Windows 10. Or at least it did--Microsoft released a series of patches between March and June to defend Windows users from this exploit.
The problem is that many people don't regularly update their devices. BitSight reported earlier this month that it often takes at least a month for macOS-using organizations to install new point releases, and that 50% of Windows-using organizations still used Windows 7, while another 20% used XP or Vista. These delays are said to make organizations almost three times as likely to experience a publicly disclosed breach."
Operating system updates are delayed for a variety of reasons. Maybe an organization needs access to legacy software, for example, or an individual doesn't like rolling the dice on an unfamiliar OS. But no matter what the reason is, the fact remains that failing to install critical security patches makes these OS laggards more vulnerable to attack. WannaCry made that point in May; GoldenEye is driving it home right now.
GoldenEye has not yet been attributed to anyone, but there's a chance the campaign is being waged by the same group behind WannaCry. Reports from earlier this month said that the NSA believes North Korea's Reconnaissance General Bureau (RGB) was behind WannaCry, so it follows that perhaps it's responsible for GoldenEye, as well. We're bound to learn more about the attack, its motivations, and its perpetrator as the spread continues.
Bitdefender said that "GoldenEye /Petya operators have already received 13 payments in almost two hours," which is "$3.5K USD worth in digital currency." Petya, and its Petrwrap counterpart, are both members of the GoldenEye ransomware family that have been around since 2016.