When the Petya/GoldenEye cyber event started about 48 hours ago, it looked like a more damaging upgrade to WannaCry. But as the dust settles it’s becoming clear the makers and distributors of Petra/GoldenEye were not interested in money.
One of the earliest indicators that Petya/GoldenEye was about damage and not profit stemmed from the payment mechanism the criminals used. As reported yesterday, the email address used to collect the US$300 ransom was disabled very early on in the attack.
Ransomware attackers are usually a little smarter than this and have contingencies in place for receiving payment. Until now, ransomware was all about profit. The bad guys almost always unlocked machines after being paid as that’s their business model.
Once you’re hit with Petya/GoldenEye (and assuming you don’t have reliable, air-gapped back-ups) you’re screwed.
The second hint that Petya/GoldeEye isn’t really a ransomware attack is the initial target. Although the malware spread using the same SMB 1.0 vulnerability WannaCry exploited, the initial blast radius was in the Ukraine – a region that has already suffered significant cyber-attacks against its power system.
Like an earthquake, it’s the epicentre where you need to look for the greatest damage and source. Earlier today, I reported a Ukrainian accounting software company looks to be where the Petya/GoldenEye party started although, according to Malwarebytes, the company in question is denying they were the initial source.
Given the initial target area and the lack of reliable payment mechanism, it seems Petya/GoldenEye is not a true ransomware attack. It seems to be an attack wholly focussed on reaking damage and causing as much disruption as possible.
Also, once you take away financial motivation, and note that the initial target is a politically “interesting” part of the world, it’s possible the reasons behind this attack are ideologically motivated. It seems a little unsophisticated to be a nation-state attack but a hacktivist group could be a likely suspect for launching the attack.
If you’re hit by Petya/GoldenEye it seems your only recourse is to go back to your last reliable backup. And make sure all your machines are patched and running up to date end-point protection software.
Comments
3 responses to “Petya/GoldenEye Has An Appetite For Destruction”
What if they’re actually trying to disrupt the ransomware economy? If you can undermine people’s confidence in the reliability of getting their data back upon paying the ransom, you can pretty much take out the legs of the ransomware industry.
That’s an interesting take – I’d not thought of it as an attack on the ransomware business.
Spelling: should be “wreaking damage”. And I agree with @drcollossus that this might undermine the standard ransomware advice of “just pay” for businesses, but it’s probably more of a combination of effects: the authors didn’t have a backup plan in place for receiving payment, then the email provider shut down their address for criminal activity.