Goldeneye / NotPetya Ransomware

A massive ransomware campaign is currently unfolding worldwide. Several critical infrastructure institutions in Ukraine have already been taken offline.

Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing this there is no information about propagation vector but we presume it to be carried by a wormable component.

Unlike most ransonware, the new GoldenEye variant has two layers of encryption; one that individually encrypts target files on the computer, and another one that encrypts NTFS structures. This approach prevents a victim’s computers from being booted up in a live OS environment and retrieving stored information or samples.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $3000 ransom is paid.

The anti-virus engine in Safer-Networking’s products Spybot Home Edition, Spybot Professional Edition and Spybot Corporate detects the currently known samples of the new GoldenEye (AKA Petya/NotPetya/Nopetya) variant under the name Trojan.Ransom.GoldenEye.B.

If you are using any of these products, please ensure that your signature files are up to date. You can find more information about our products on our website or on our Forum.