J0k3rj0k3r Posted June 27, 2017 Share Posted June 27, 2017 This is the hidden content, please Sign In or Sign Up Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks. GoldenEye/Petya operators have already received 13 payments in almost two hours. That is $3.5K USD worth in digital currency. Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide. Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component. Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples. Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid. Source This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Diabl0 Posted June 27, 2017 Share Posted June 27, 2017 (edited) Re: GoldenEye/Petya ransomware Just a heads up: if anyone fears the NotPetya infection, you can easily vaccinate your PC from it. Based on the sample analysis i did, the ransomware searches for a file(perfc) in C:\Windows before it begins the encryption scheme. If found, the ransomware stops and exits. This is the hidden content, please Sign In or Sign Up All you have to do is create a file in C:\Windows\ called perfc and set it to read-only. Here is a simple bat file to do it: This is the hidden content, please Sign In or Sign Up Run that as admin....and you should be vaccinated from this shit. That's all! . PS:This only stops the encryption module from starting and NOT the spreading scheme(wmic and smb)! Edited June 28, 2017 by Diabl0 Link to comment Share on other sites More sharing options...
MarkusGod Posted August 27, 2017 Share Posted August 27, 2017 Re: GoldenEye/Petya ransomware You get sources manually for disassembled code or you have used some kind decompiller? Link to comment Share on other sites More sharing options...
Recommended Posts