Bitdefender: GoldenEye Ransomware Campaign Spreads Throughout Europe

EternalBlue is the exploit that keeps on giving. A little over a month after WannaCry affected hundreds of thousands of devices around the world, the Bitdefender security company reported that a new "massive ransomware campaign" that revolves around a member of the GoldenEye ransomware family is "currently unfolding worldwide."

GoldenEye is particularly nasty because it's more thorough than other ransomware. Bitdefender said that in addition to encrypting individual files, GoldenEye also encrypts NTFS structures and "has a specialized routine that forcefully crashes the computer to trigger a reboot." There's currently no workaround--if your device is affected by GoldenEye, you'll either have to cough up the $300 ransom or bid farewell to that particular computer.

The Associated Press reported that GoldenEye has resulted in "serious intrusions at the Ukrainian power grid, banks, and government offices," as well as other places throughout Europe. Bitdefender said it doesn't yet know how GoldenEye is spreading, although it "presume[s] it to be carried by a wormable component," much like WannaCry did when it caused a similar panic in May. Bitdefender's security tools are said to block GoldenEye.

Of greatest concern is the discovery that GoldenEye relies on the same EternalBlue exploit as WannaCry. That exploit is believed to have been discovered by the NSA and, later, made public by the Shadow Brokers hacking group. EternalBlue affects every version of Windows between Windows XP and Windows 10. Or at least it did--Microsoft released a series of patches between March and June to defend Windows users from this exploit.

The problem is that many people don't regularly update their devices. BitSight reported earlier this month that it often takes at least a month for macOS-using organizations to install new point releases, and that 50% of Windows-using organizations still used Windows 7, while another 20% used XP or Vista. These delays are said to make organizations "almost three times as likely to experience a publicly disclosed breach."

Operating system updates are delayed for a variety of reasons. Maybe an organization needs access to legacy software, for example, or an individual doesn't like rolling the dice on an unfamiliar OS. But no matter what the reason is, the fact remains that failing to install critical security patches makes these OS laggards more vulnerable to attack. WannaCry made that point in May; GoldenEye is driving it home right now.

GoldenEye has not yet been attributed to anyone, but there's a chance the campaign is being waged by the same group behind WannaCry. Reports from earlier this month said that the NSA believes North Korea's Reconnaissance General Bureau (RGB) was behind WannaCry, so it follows that perhaps it's responsible for GoldenEye, as well. We're bound to learn more about the attack, its motivations, and its perpetrator as the spread continues.

Bitdefender said that "GoldenEye /Petya operators have already received 13 payments in almost two hours," which is "$3.5K USD worth in digital currency." Petya, and its Petrwrap counterpart, are both members of the GoldenEye ransomware family that have been around since 2016.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • yamahahornist
    What? "bid farewell to that particular computer"; I forgot that once the hard drive goes down the entire computer hardware magically stops working forever. That is horrible misleading information. If you get effected by a randsomeware attack, just reformat the drive and your good to go or even purchase a new hard drive. I thought this was a tech site? The last thing I would want is some naive person tossing out there $600 computer due to bad information.
    Reply
  • stoned_ritual
    Yep. Whenever I get a virus, I just toss that whole computer in the trash and get a new one. As we all do.
    Reply
  • drtweak
    Oh snap I though I was the only one who tossed it out when i got a virus? Oh wait I have never gotten a virus XD
    Reply
  • dark_lord69
    Yeah, the last time I got a virus...
    Format C:
    I lost nothing.
    Reply
  • problematiq
    Also the email provider the group was using has blocked their account. So if you are infected you options are lose the data or wait and hope for a decryptor.
    Reply
  • redgarl
    Well... duh... do your backups.
    Reply
  • shiitaki
    Actually, it is possible to write to the firmware on the motherboard, so it is impossible to ever be sure that an infected computer is clean. For that matter, as shown by Lenovo's behavior, can you ever be sure? The answer is no.
    Reply
  • beetlejuicegr
    You should understand your needs on your PC dont reflect necessarily the rest. Many proffesionals see their work PC as a machine that will never die. Many of them wont listen to their IT on backup schedules etc.
    There are also many programs still used on xp and companies that dont understand the need of virtualization..
    If you get cryptlocked and you have backups..yeap easy stuff..but if you dont..QQ
    Reply
  • nukemaster
    19870148 said:
    What? "bid farewell to that particular computer"; I forgot that once the hard drive goes down the entire computer hardware magically stops working forever. That is horrible misleading information. If you get effected by a randsomeware attack, just reformat the drive and your good to go or even purchase a new hard drive. I thought this was a tech site? The last thing I would want is some naive person tossing out there $600 computer due to bad information.
    Damn. Think of all the computers I could have saved instead of just tossing them. :)
    Reply
  • hoofhearted
    They should fine the people who pay the ransom.
    Reply