It looks like the developer of the Petya-Misha ransomware has created a new ransomware version, which is based on his previous product but it uses a brand new name – GoldenEye. Even though GoldenEye is trying to pass as absolutely new ransomware piece, it is almost identical to previous Petya-Misha versions and there are similarities which give it away that it was just rebranded.
According to experts, this new threat is being distributed via spam messages, which are sent mainly to Germany-based users. The emails consist of two file attachments and have a subject that starts with the word “Bewerbung”.
The first file is a resume trying to convince of its legitimacy and the second file (an Excel spreadsheet) contains a malicious macro that installs the GoldenEye ransomware. When the victim presses the “Enable Content” button in the excel file, the macro will launch and save embedded base64 strings into an executable file in the temp folder. Once the file is created, the VBA script automatically runs the program and the encryption process begins.
GoldenEye`s actual way of encryption does differentiate a bit from the Petya-Misha`s one. In previous versions, if Petya couldn’t gain Administrative privileges to overwrite the MBR it would run the standard file encrypting part – Misha. GoldenEye, however, encrypts the computer`s files first and then tries installing the MBR (Master Boot Record) boorkit to encrypt the drive`s MFT.
This version, like the others, also appends a random 8-character extension at the end of each encrypted file and modifies the user’s hard drive MBR with a custom boot loader. After that, GoldenEye drops its ransom note file, named YOUR_FILES_ARE_ENCRYPTED.TXT.
All of this was the Misha part as Misha is the standard file encryptor and Petya is the hard drive locker. So, after displaying the ransom note, GoldenEye proceeds to the Petya part of the encryption process.
First, the ransomware forced the targeted computer to reboot so it can start encrypting the victim’s hard drive MFT (Master File Table). Once this process has finished a new ransom screen appears, in which the differences between GoldenEye and the Petya-Misha combo are more visible.
GoldenEye`s ransom note is technically the same but it is now displayed in yellow. At first, Petya used red-colored text but when the Misha component was added, it switched to green. Also, in the note, the ransomware author requires 1.33 Bitcoins (approximately $1,000) ransom in exchange for the personal decryption code.
Petya was first noticed in March 2016 and its early version only encrypted the MBR and MFT. However, many errors occurred in these processes and administrative privileges were needed, so, in May, the ransomware creator decided to add the Misha component for the standard file encryption. The person behind the Petya-Misha ransomware is a cybercriminal, who goes by the name of Janus.
Up until October this year, he ran the Janus Cybercrime website where Petya-Misha was offered as a Ransomware-as-a-Service (RaaS). Also, in July, he successfully sabotaged one of his biggest competitors by releasing the Chimera decryption key online.
