GoldenEye Ransomware Attack Takes Down Global Networks
3 months ago, a mass Ransomware attack WannaCry began infecting computers across the globe. The cyber-attack came on the back of a year dubbed ‘The Year of Ransomware’ and became one of many similar headlines concerning cyber-security.
The WannaCry strain of malware utilized a secondary programme, EternalBlue, designed as a ‘worm’ to increase the speed of the attack allowing the infection to spread to over 300,000 end-points in over 150 countries. WannaCry, which saw several smaller follow-on attempts at infection over the following weeks, lasted for 3 days.
The newest follow-on attack from WannaCry, has got cyber-security professionals across the globe paying attention. The strain of Petya ransomware strain has been identified as GoldenEye and is expected to be a large-scale attack across the globe.
The cyber-criminals that designed the WannaCry ransomware strain were able to be as effective as they were by by targeting two known vulnerabilities in their attacks. Those behind the GoldenEye attacks have added another prong to their attack; GoldenEye has two layers of encryption. While ransomware has always targeted files and encrypted them to stop a user being able to use their computers, GoldenEye encrypts both the files and file structures known as NTFS structures. Although this stops a machine from being able to access any of the files in their encrypted format, this does not stop a remote recovery of data. Recovering data from an intact off-site backup will write new data to the restore target or machine ensuring that the files are restored and accessed from uncompromized locations rather than the original infected copy. As GoldenEye uses a worm to help it spread, it is important to ensure backup data is stored off of the network and cannot become infected in the event of an attack. Since the WannaCry infection spread across networks Redstor have restored the data for over 150 organizations, preventing them from paying ransoms and falling victim to cyber-criminals.
GoldenEye is expected to have hit around 2,000, mostly in the Ukraine, Russia and Poland. The strain of ransomware, similarly to WannaCry, demands a bitcoin payment equivalent to $300 for files to be returned safely. Security companies have continued to advise users against paying ransoms as this only incentivises hackers further to attempt these large-scale attacks.
Recently a South Korean hosting firm paid a ransom worth $1m for the return of their systems when the data on 153 Linux servers and 3,400 customers websites was encrypted.
Among those hit with GoldenEye across the globe so far are US-based pharmaceutical company Merck, British advertising firm WPP and British legal firm DLA Piper. The firm said in a statement “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.”
GoldenEye has also been designed to attack systems quickly, the programme forces systems to reboot as soon as they have been infected allowing the ransom message to appear more quickly. A Posteo email account has since been shut down in connection with ransoms being paid and the company is working with German police in an attempt to find the cyber-criminals behind the attack.
Why Cyber-security should be a top priority
GoldenEye and WannaCry are just two of the strains of ransomware that have affected organizations across the globe. Cyber-criminals and hackers have repeatedly targeted hospitals and schools among other public sector organizations. Having been so successful at extorting ransoms from organizations, hackers now see ransomware as a quick payday. Ransomware is most commonly spread via network shares or email so can be used to target large quantities of people without too much effort.
Cyber-security should be a top priority for all organizations as it is a well-funded and quickly developing threat. The speed at which the threat is growing makes it even more difficult to protect against if improper procedures are in place. Ransomware attacks have the ability to cause mass outages and disrupt networks which can be costly for businesses who are not able to get back to operational capacity. In 2016, it was reported that downtime was responsible for a loss of $700bn globally.
A big part of having proper cyber-security procedures in place is educating users on the threats that they face and helping them to understand how they can mitigate the risk of cyber-attack. Human error is a major cause of downtime and this is something that hackers depend on. Malicious links or attachments being opened in emails is still one of the leading ways that attacks like GoldenEye have been so devastating in their effectiveness. Educating users to be more diligent with their personal security can go a long way to protecting systems for the whole organization.
Recovering from Ransomware
If a ransomware attack cannot be prevented, recovering from it remains the only option. But without an isolated, up-to-date backup of data, your IT systems will have no previous working state to revert to and your organization will have no choice but to pay up in the hope of access being restored or accept that the data is lost forever. An onsite backup may be able to help but if the infection spreads to this local copy then that too is going to be inaccessible.
Implementing a new backup solution is no use if data is already infected – a backup may be able to take place but the restore won't be able to get around the encryption that's already there. Only by having an up-to-date, isolated data backup will your recovery will be swift and all traces of the ransomware infection be erased.