Petya / GoldenEye malware variant information

Version 1

    General Information:

    • The Petya/GoldenEye malware has been confirmed by Bitdefender Labs to be leveraging the EternalBlue exploit to spread from one computer to another, along with some additional exploits to propagate.
    • EMSS Antivirus users who have up-to-date AV Definitions will already be protected against the new strains of the Petya/GoldenEye malware.
    • EMSS Application Control users will be protected if their endpoints are in Lockdown as the new application hashes will not be authorised to run.
    • The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made over the night of the 27th June will be unable to get validated, and therefore will surely not receive the decryption key, according to Bitdefender.


    Infection prevention:

    1. Ensure your EMSS Antivirus Definitions are up to date on your endpoints, using the EMSS Web Console=>Manage=>Endpoints=>Antivirus Tab page. They need to be at or above:
      1. AV Update time:      Tue Jun 27 17:17:17 2017
      2. AV Definition Version:           1498573037
    2. Instruct your end-users to be extra vigilant about file links and opening files from unknown sources, to reduce the chances of the a social-engineering based penetration of the malware.
    3. EMSS Patching:
      1. Make sure you have the latest cumulative Security updates for Windows 7 and Server 2008 R2 up through Windows 10 and Server 2016 in place. This covers the Eternal family of vulnerabilities and the two latest known exploited vulnerabilities.
      2. To protect against other exploits used for propagations, two more updates for known vulnerabilities, released on June Patch Tuesday, warrant attention:
        1. CVE-2017-8543 – A vulnerability in Windows Search could allow an attacker to take complete control of the system. It could also be exploited over the network without authentication through SMB. It was flagged as “Exploited” when Microsoft released the update on June Patch Tuesday.
        2. CVE-2017-8464 – A vulnerability in Microsoft Windows could allow remote code execution if an LNK file is processed. An attacker could craft a shortcut icon that provides the same rights as the local user. It’s a perfect USB drop scenario.
        3. Microsoft went a step further, given recent attacks, and released updates for XP, Vista, and 2003 – The updates go as far back as MS08-067, which plugged the vulnerability Conficker used to infect more than 15 million machines back in 2008.
        4. If you are using the Security Only bundle instead of the Monthly Cumulative Rollup, you need the Security Only bundle from March, April, or May to resolve the original SMBv1 vulnerabilities. You also need the June Security Only bundle to resolve the two latest exploits, including the new SMB vulnerability. By OS you should have the following KBs applied:
          1. Windows 7\Server 2008 R2
            1. March: KB4012212
            2. April: KB4015546
            3. May: KB4019263
            4. June: KB4022722
            5. Windows Server 2012
              1. March: KB4012214
              2. April: KB4015548
              3. May: KB4019214
              4. June: KB4022718
            6. Windows 8.1\Server 2012 R2
              1. March: KB4012213
              2. April: KB4015547
              3. May: KB4019213
              4. June: KB4022717
        5. For those of you still running Windows XP, Vista, 8, or Server 2003, we recommend you have all the Bulletins and KBs described in the document in place on your systems. All are publicly downloadable, even those released after end of life for each operating system.


    Further details and updates in relation to this Patching is to be found at our Ivanti Blog post on the subject:



    Handling an Infected/suspected-infected machine:

    • If at any point you suspect a machine of being infected, power it off completely and remove it from your network.
    • The malware attacks the Master Boot Record of the target machine hard drives, replacing it with its own. It then triggers a Bluescreen error to force the machine to have to be rebooted. At this point, your data is not encrypted but the machine should not be booted up.
    • If you reboot your machine, the new MBR of the boot disk will present a fake CHKDSK screen to fool you into waiting while it encrypts all of your files/drive.
    • If you believe the drive to be infected or not yet fully encrypted, use an AV-protected (definitions up to date) machine to attach the problem-hard-drive to and copy any required files off the problem-hard-drive to a safe location.