The author of the Petya-Mischa ransomware combo has returned with a new version that uses the name GoldenEye Ransomware, continuing the malware's James Bond theme.
Brought to our attention today by a Bleeping Computer user named gizmo21, this new "GoldenEye" ransomware is almost identical to past Petya and Mischa variants.
GoldenEye Petya variant spreading via spam emails
The ransomware is currently distributed via spam campaigns that at the moment seem to be targeting German-speaking users.
The spam emails use the classic resume theme and come with two files attachments and have a subject starting with the word Bewerbung as shown below.
The first attachment is a fake resume that is being used to convince the human resources department that the email is legitimate. You can see one of the pages of this PDF below.
The Excel spreadsheet, as shown below, is the main installer for the GoldenEye ransomware as it contains a malicious macro that installs the GoldenEye ransomware.
In the spam campaign observed in the past days, the Excel files have the following names:
Meinel-Bewerbung.xls
Seidel-Bewerbung.xls
Wüst-Bewerbung.xls
Born-Bewerbung.xls
Schlosser-Bewerbung.xls
When a user clicks on the Enable Content button, the macro will launch and save embedded base64 strings into an executable file in the temp folder. When the file has finished being created, the VBA script will automatically launch the program, which begins the encryption process on the computer.
You can see a small portion of the deobfuscated VBA macro that generates the installer below. I have posted the full VBA script here.
How GoldenEye Encrypts a Computer
Once the ransomware takes root, its modus operandi is a little different than how Petya and Mischa functioned in the past. In the Petya/Mischa ransomware infections, if the Petya could not gain Administrative privileges to overwrite the MBR, it would run the standard file encrypting portion that was called Mischa. GoldenEye on the other hand first encrypts the files on the computer and then tries to install the MBR bootkit to encrypt the drive's MFT.
The GoldenEye variant starts by encrypting the user's files, just like regular ransomware. For each file it encrypts, GoldenEye appends a random 8-character extension at the end.
The ransomware then also modifies the user's hard drive MBR (Master Boot Record), with a custom boot loader.
Once this operation ends, the ransomware shows the following ransom note. The file's name is YOUR_FILES_ARE_ENCRYPTED.TXT.
This is the "Mischa" part of the Petya-Mischa combo. Mischa acts as a regular file encryptor, while Petya is the hard drive locker.
Shortly after displaying the ransom note, GoldenEye enters in the Petya part of the file encryption process.
This occurs when the ransomware forcibly reboots the user's computer and enters a stage where it starts encrypting the user's hard drive MFT (Master File Table), making it impossible to access any files on the hard disk.
The MFT encryption process is masked by a fake chkdsk screen, just like in past Petya variants.
After this process ends, we see more visible changes from previous Petya-Mischa infections, which is a new ransom screen.
Technically, this boot level ransom note is the same as previous Petya screens, but it's now displayed using yellow-colored text. Initially, Petya used red text, and then switched to green when the Mischa component was added.
Users that want to recover files must take the "personal decryption code" from the ransom note and enter it on a Dark Web portal. The GoldenEye Petya version asks for 1.33284506 Bitcoin (roughly $1,000).
The Dark Web portal also includes a support area, where one user has already reported that GoldenEye has caused his computer to crash.
While GoldenEye tries to pass as a brand new ransomware, its modus operandi, ransom note texts, and about anything else give it away as a rebranded Petya-Mischa combo.
The Petya ransomware first appeared in March 2016, and in its first version only encrypted the MBR and MFT. Because this process caused multiple errors that stopped the encryption process and needed admin privileges to run correctly, in May, its creator added the Mischa file encryptor component to Petya, so to encrypt files to "classic" way, in case the HDD encryptor fails.
The man responsible for Petya and Mischa is a cyber-criminal that goes by the name of Janus, who up until October 2016 ran the Janus Cybercrime website, where he offered the Petya & Mischa ransomware combo as a RaaS (Ransomware as a Service).
In July, Janus also sabotaged one of his competitors by releasing the decryption keys for the Chimera ransomware.
Janus Syndicate is also the name of the cybercrime syndicate that was featured in the 1995 James Bond film GoldenEye.
UPDATE [November 7, 2016]: This tweet from security researcher MalwareHunterTeam can help you understand the scale of the current GoldenEye ransomware campaign. The researcher is referring to detections on ID Ransomware, a service for identifying the ransomware family that has infected a victim.
So, the new Petya version got nice numbers:
— MalwareHunterTeam (@malwrhunterteam) December 7, 2016
GoldenEye yesterday (only Germany): ~160.
Locky's best day past month (over 30 countries): ~375.
Comments
Didier Stevens - 7 years ago
We did a quick analysis of the malicious document that drops this ransomware: "Analyzing an Office Maldoc with a VBA Emulator" https://blog.nviso.be/2016/12/07/analyzing-an-office-maldoc-with-a-vba-emulator/
Jimmy411 - 7 years ago
If you were to pay the ransom for the Petya part of the encryption would you then be asked to pay a 2nd ransom to remove Mischa?
campuscodi - 7 years ago
The ransom payment is handled on the same site and the post-payment decryption removes both versions. Mischa is a backup for Petya, in case Petya doesn't manage to encrypt the MBR and MFT.
TheITGUI - 7 years ago
I started to see the Mischa. GoldenEye take effect, I hastily rolled back my machine via RollBack Rx. Pretty close call, but luckily doesn't seem to have done any permanent damage.
Saurav74 - 6 years ago
Whats this software bout.. Sounds cool.. seem like rolled back the time !!
vikas891 - 7 years ago
I ran the JS in my VM and it created a mess. I am amazed that "we" didn't have signatures for the JS and upon submission we pushed them out!
Thank you for posting all the information here, fellas. Much much appreciated!
Didier Stevens - 7 years ago
We also produced screencasts for our analysis: https://blog.nviso.be/2016/12/12/videos-analyzing-an-office-maldoc-with-a-vba-emulator/