GoldenEye Ransomware: Shaken, Not Stirred - Notes from the Underground

December 29, 2016  |  Jim Hansen

What do action, adventure, cool gadgets, Vodka martinis—shaken not stirred—and ransomware all have in common? One word – GoldenEye. For my fellow Gen Xers, you probably remember this iconic James Bond film starring Pierce Brosnan as 007. I sure do. It was one of the best James Bond films ever made. The film involved an insidious plot by malicious actors bent on destruction and monetary theft using an electromagnetic Soviet Cold War satellite weapon called GoldenEye. In the film, only 007 can save the day. And, course, he does.

If only it were that easy, right? Find the coolest, smoothest, martini-drinkin’ good guy to swoop in and take out the megalomaniac bad guys to save the day, maybe your computer, your data, or your customer’s data. Unfortunately, in real-world cyberattacks, the bad guys do sometimes win, take your data, compromise your systems, and make you pay (or at least try to) to get it back. It’s criminal exploitation at its best.

2016 has been a lucrative year for ransomware malefactors, and now we have yet another strain, GoldenEye, out there to contend with. Luckily, it is localized right now for the most part in Germany, but this doesn’t mean that it won’t find its way to a country near you. IT security team, beware.

About GoldenEye

So, what is GoldenEye? Before we go into that, let’s first understand some of the predecessors created by the same threat actor, Janus Cybercrime Solutions, a self-proclaimed criminal organization responsible for GoldenEye and several other ransomware variants.

The GoldenEye ransomware is a variant of the notorious Petya ransomware, which is best known for its unique signature of overwriting the Master Boot Record of the infected host. The best (or worst) part of this particular ransomware is that the user watches in idle incomprehension as the malware reboots the system in front of them, displays a fake check disk (chkdsk) screen, and then informs the user on how to purchase bitcoins to unlock their system. By the time the user realizes their system is compromised, it’s too late.

There is hope, though. At least, a little bit. Petya is delivered most often via email to the victim and requires that the victim download and execute it. For Petya to do its dirty deed, it needs administrative access to the system. To get administrative access, a User Access Control (UAC) challenge is presented to the user, and the user must accept it to grant the access. The best defense is to be wary and suspicious of attachments and to not click on and download them. If you do download an attachment and a UAC challenge is presented, that should be a clue. Don’t allow the program to have administrative privilege.

You may think to yourself at this point, “OK, I got it. Don’t click on things that look suspicious. Don’t let attachments escalate privilege. No problem.” Well, there’s more. Our dear friends at Janus Cybercrime Solutions don’t like missing out on an opportunity to steal your money. So, they came up with yet another malware variant and packaged it with Petya to increase their opportunity. This additional package is called Mischa. Sound familiar? For those of you Bond buffs, you may recognize both Petya and Mischa as the two satellites that comprise the GoldenEye weapon in the GoldenEye movie. Petya was used by the Bond villain Alec Trevelyan (a.k.a. Janus) to blow up the GoldenEye satellite facility in Severnaya. The second satellite, Mischa, was to be used by Alec to steal “millions of dollars” from the Bank of England. Nothing better than wreaking destruction and making a few bucks along the way, I guess.

Mischa is another variant of ransomware, but this one behaves similarly to other common ransomware variants. It simply looks for data files on the compromised system and encrypts them. When a system is compromised, both Petya and Mischa are installed. If Petya is unable to gain administrative access, Mischa is waiting in the background to execute and encrypt the system files using a more traditional file-based encryption approach. The two malware variants together have become a formidable adversary.

Keep in mind, Mischa still has to be installed and the user must take an action to do it. It doesn’t just happen all by itself. At least, not yet. Perhaps that’s the next “improvement.”

This brings us to GoldenEye itself. GoldenEye is a new version of the Petya-Mischa combined ransomware that still has the same basic capabilities and limitations. It operates similarly to the Petya-Mischa ransomware combination and is still delivered most often via email attachment. But, it now behaves a little differently than it did before. Instead of waiting for administrative access so that it can reboot and overwrite the Master Boot Record, GoldenEye now encrypts the local files first. Eeek! Once the local files are encrypted, it then reboots and overwrites the MBR. If successful, a single download infects a system with two forms of ransomware and can require two ransomware payments. It’s a double whammy.

The best possible thing you can do to prevent a ransomware infection is just to not use email or the internet. Since that is not likely to happen, you should establish continuous training to your users to minimize the likelihood that they will click on a malicious email attachment. Keep in mind that although you have control and visibility over your corporate email server, you don’t necessarily have the same control and visibility over the myriad of personal email accounts that your users have.

How Does AlienVault Help?

The AlienVault Unified Security Management (USM) platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to Ransomware threats like Goldeneye, Petya, and Mischa. One of the essential capabilities built into the USM platform is a network intrusion detection system, which is used to monitor the network for suspicious activity and notify you via an alarm when activity related to the ransomware is discovered.

The AlienVault Labs team regularly updates the rulesets that drive the all of the threat detection and response capabilities of the AlienVault USM platform to keep you up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves to discover the latest threats, and how to detect and respond to them.

The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect malicious traffic as well as a correlation directive to link events from across a network that indicate a system compromised by Goldeneye. Learn more about these updates in the Threat Intelligence Update summary posted in our Forums, where you can keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens.

Note that in addition to the recent update of signatures for Goldeneye, the AlienVault Labs Team has also updated several other ransomware signatures based on recent activity identified, including Cerber, Locky, TorrentLocker, Shigo, Xbot, Alma, and Maktub.

Our AlienVault Labs team and the Open Threat Exchange (OTX) community will continue to monitor the behavior of these threats and will update the information in OTX when appropriate.

Also, the integration between our OTX and USM means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network. The result is that USM customers are up to date on the latest threat vectors, attacker techniques, and defenses. Even if you don’t have USM, you can create a free account in OTX and interact with the community.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial