On June 27, 2017, a large-scale attack using a variant of the ransomware family known as GoldenEye affected much of the world.

In addition to encrypting files on the computer, this ransomware family is characterized by encrypting the MBR when it has permissions, thus blocking full access to the computer. The attack can almost be seen as a replica of the much-feared WannaCry attack that shook the world a little over a month ago.

This version of the malware is distributed as a DLL with an EXPORT, which is named with a parameter that changes with each sample to begin the encryption process on the computer.

When it runs, it encrypts certain files on compromised system drives. In turn, if it has administrator permissions, it also encrypts the system boot sector by preventing access to the computer unless an access key that decrypts the system is entered.

That key is assumed to be delivered once payment of the ransom has been made.

The sample creates a scheduled task to shut down the computer afterwards.

Upon restarting the computer, GoldenEye displays a fake window indicating that a disk problem is being solved.

Afterward, it shows the window seeking the ransom.

Propagation

In this case, we’ve seen various methods of entry and propagation on compromised networks:

  • An attack against the update system of MeDoc, a much-used file management service in Ukraine (a country gravely affected by the attack)
  • ETERNALBLUE: This malware variant uses code that exploits the vulnerability published by Microsoft on March 14, described in the bulletin MS17-010.
  • PSEXEC: Incorporates remote execution on the system using the PSEXEC command.
  • WMI: Incorporates remote execution on the system using the WMI command.

You can access further details on the attack in the technical report from PandaLabs.

List of related files

7e37ab34ecdcc3e77e24522ddfd4852d

71b6a493388e7d0b40c83ce903bc6b04

Tips and Recommendations

  • Be cautious of documents contained in emails from untrusted senders. Analyze all incoming and outgoing emails to detect threats, and filter executables to prevent them from getting to the end user.
  • Keep your operating systems, software, and firmware updated on all devices.
  • In this case, as we have detected the use of ETERNALBLUE, we recommend that you make sure the following patch is installed on all computers across your network:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  • Only trust Next-Generation Endpoint Protection solutions such as Adaptive Defense and Adaptive Defense 360.
  • If you are already a client of Adaptive Defense, and in case of new large-scale attacks, set the Lock Mode in Adaptive Defense: run only those processes which are classified as trustworthy by Panda Security.
  • Make periodic backup copies of your data and make sure that they are working properly, and that they are not connected to the network.

Being Prepared Makes All the Difference 

Thanks to the advanced technology of Adaptive Defense, none of our clients were affected by this attack.

Panda Security’s new security model is based in contextual intelligence backed by machine learning techniques that reveal patterns of malicious behavior and generate advanced cyber defense actions against known and unknown threats. Along with the ability to record and categorize absolutely all the processes running at the endpoint, it gives us an extremely detailed view of everything that happens on a computer network. Once again, Adaptive Defense has successfully shielded its clients from a global threat.

Adaptive Defense stops what others don’t even see. Total visibility, absolute control.

We will continue to provide detailed information on the attack.