VIPRE Labs has begun analysis on a new massive ransomware campaign that is currently targeting the Ukraine. Initial technical analysis shows the malware sample is using a fake Microsoft Digital Certificate that is not valid and has very similar traits to the Goldeneye ransomware family.
The sample clears the Windows event log using Wevtutil and writes a message to the raw disk partition, shutting down the machine. It is speculated to be a combo of Petya/Misha (also known as GoldenEye). The malware only encrypts files on disk if it can't run as admin. If it can run as admin, it will encrypt the mbr, but not the files on disk. If the sample encrypts the mbr, it will prevent computers from booting up in a live OS environment and retrieving stored information or samples.
This malware variant seems to have multiple layers of encryption targeting NTFS structures and files on the main user profile’s OS.
Just like typical ransomware, this sample will encrypt the entire hard disk drive and denies the user access to the computer. Currently, there is no workaround to help victims retrieve the decryption keys from the computer.
Once the encryption process is complete, the ransomware uses a very sophisticated hard-coded routine that crashes the computer to trigger a reboot of the machine, thus rendering the computer unusable until the ransom is paid.
VIPRE ADVANCED SECURITY blocks the currently known samples of this new ransomware variant. If you are running a VIPRE SECURITY SOLUTION for consumer or business, your computers are not in danger, and you are protected with our state-of-the-art advanced heuristics engine.