On January 27th, reports of a rapidly spreading ransomware attack started to emerge from Ukraine. The speed at which critical infrastructure networks were shutting down pointed to a ransomware application with a wormable component, whose virality called to mind the WannaCry ransomware. In less than three hours, the infection crippled banks, ATMs, public transport and an airport, as well as utilities provider Kyivenergo. Then it spread outside the Ukraine.
As multiple critical infrastructure networks reported major blackouts, Bitdefender started an internal investigation over isolated malware samples to trace the attack’s origin and better understand what it targeted, and how.
Our initial assessment reveals that the threat is similar to a variant of the GoldenEye ransomware, a strain that naturally evolved from the first commercial bootloader encryptor, Petya. This threat comes in the form of a DLL part of a largely complex scheme involving a supply chain compromise.
Patient Zero was Ukraine
This supply chain compromise is based around MeDoc, an accounting and invoicing utility that is required for all businesses operating in Ukraine. Bitdefender research shows that this bad update of the MeDoc accounting app also supplied the malicious DLL payload and was used to trigger the initial infections inside company networks.
The infection then spread from the machines running the accounting software to the other computers in the network via a number of lateral movement techniques, ranging from two exploits, allegedly leaked from the NSA, called EternalBlue and EternalRomance,, as well as a third vector of infection comprised of a credentials dumper for accounts stored in memory and two legit administration tools called PsExec and WMIC.
Technical analysis of the payload reveals that most of the code is borrowed from the GoldenEye ransomware family. What has been extensively improved upon is the spreading mechanism – the main purpose of which is to ensure that it hits as many computers as possible. There are no containment measures hard-coded in the malware, so once an infection starts on the network, the rest of the computers will get encrypted – some of them multiple times in multiple attacks coming from every infected machine. This causes a pinball effect that leaves data impossible to decrypt, even if a ransom is paid.
Not your run-of-the-mill form of ransomware
During the first hours since the malware broke out, the Twittersphere has been awash with suppositions and false leads, as the threat analysis community tried to make sense out of this attack. Undoubtedly, its fallout was one of the most visible in the history of ransomware. Because it prevents the victim computer from booting up, this kind of ransomware was able to decommission systems that control industrial processes, paralysing critical infrastructures and bringing a country to a grinding halt.
However, the poor implementation of the payment processing algorithm, paired with an unfortunate choice of victim country makes us think that this attack spelled “cyber-war” more than it spelled “money”.
Nobody goes to the Estic Bloc for ransom money. If you have been following the latest developments in the malware space, you might have noticed that most ransomware attacks originate from the Eastern bloc, but rarely attempt to monetise anywhere close to home. Anyone who attacks a country already impoverished by war and economic troubles hasn’t researched their prospects very well.
GoldenEye’s “efforts” to monetise is just a front. A basic principle of marketing is leading people to the shopping cart so they can buy whatever you are selling. GoldenEye not only does nothing in this regard, it does not even have a “shopping cart”. The key retrieval flow asks users to transcribe a 60-character “personal installation key” along with a 34-character Bitcoin wallet address on a different device, and then have the information sent via e-mail to an inbox. This leaves a lot of room for errors, as accurately transcribing this mixed-case serial number is challenging. In addition, the confirmation e-mail was suspended for abuse, just as one would expect from an account registered with a regular e-mail provider.
One Bitcoin wallet to receive all payments. Commercial ransomware usually demands payment to Bitcoin wallets generated on the fly rather than harvesting all the bounty into one wallet. This helps hackers conceal the magnitude of the extortion scheme and helps prevent attention from law enforcement. Like WannaCry, GoldenEye uses one Bitcoin wallet for all transactions. Both wallets are so widely known to be associated with cybercrime that hackers will have an incredibly hard time laundering the extorted money.
No consumers have been harmed during the attack. Probably the best-written section of the malware is the code that handles lateral movement. The ransomware is heavily optimised for spreading across computers on the same network once it has breached the perimeter. It includes three distinct spreading mechanisms, ranging from exploits (EternalBlue and EternalRomance) as well as a credential dumping technique followed by remote execution via PsExec. The mastermind behind the attack designed it to go viral in large computer networks rather than in consumer homes or small offices. Also, the main infection vector- the MeDoc software - is a business application few, if any, people run at home.
Money-wise, the attack was a commercial catastrophe. The GoldenEye attack was probably one of the most viral ransomware campaigns of all time. It has targeted victims all over the world, some of which still struggle to get back online. In spite of the damage, the group behind GoldenEye only managed to extort 10K USD. Compared to any family of ransomware (including those you have never heard of), this amount is trivial – so if this was a commercial ransomware campaign, it was a complete failure.
The chain of events that lead to the infection, the extent of damage inflicted on one country (Ukraine), the complete lack of interest in monetising the attack as well as the fact that the malware deliberately corrupts data in some circumstances, suggest this is no ordinary, money-seeking ransomware campaign. While we can only guess who was behind the attack, one thing is certain: businesses all over the world have suffered tremendous loss.
But have companies learnt anything from this?
One month ago, the world awakened to a massive digital fire in the form of WannaCry, a half-baked piece of ransomware that leveraged the same NSA-leaked EternalBlue exploit to spread from one Windows computer to another. Despite the fact that the exploit had been plugged since mid-April, a significant number of companies have been blind-sided and had their computers held to ransom. And despite the fix, WannaCry is still spreading to new victims daily, even if its “killswitch” prevents it from encrypting files.
GoldenEye was no different. It still leveraged the same EternalBlue and EternalRomance exploits to propagate on the network, and it still managed to create havoc and massive outage. So will the next families of malware powered by EternalBlue that will likely hit in the near future.
So how can companies protect themselves? If you have not done so yet, make sure you patch early and often. Run antimalware solutions capable of stopping advanced attacks. Cover all your bases, from endpoints to mobility to virtualised environments. And last, but not least, take regular backups and don’t forget to test them.
Bogdan Botezatu, senior e-threat analyst at Bitdefender
Image source: Shutterstock/Martial Red