GoldenEye Ransomware - Restore Files (July 2017) - How to, Technology and PC Security Forum |

GoldenEye Ransomware – Restore Files (July 2017)

This article aims to help you restore encrypted files from your hard drive if it has been infected by Petya GoldenEye Ransomware (other variant is known as Petya Eternal, ExPetr, PetrWrap, NotPetya).

The new ransomware outbreak of GoldenEye ransomware has been reported to target primarily Ukraine, but the malware quickly spread all over the world. This virus aims to encrypt all of the files on a hard drive and the MBR of the drive itself, making it virtually impossible for you to restore your files even if you pay the ransom. Researchers at Kaspersky have detected that the encryption routine of the new Petya/NotPetya virus is designed so that even if a payment is made, the ones behind the virus cannot decrypt your hard drive, even if they wanted to. So if your computer has been infected by this latest GoldenEye variant, you should also not pay the ransom and read this article to learn how to try and get your data back.

Threat Summary

NameGoldenEye Ransomware
TypeRansomware, Cryptovirus
Short DescriptionSeparate variant of Petya/NotPetya ransomware. Encrypts the MFT (Master File Table) and the files on the infected computer, demanding $300 ransom payoff.
SymptomsA reddish lock-screen on boot, demanding $300.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GoldenEye Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GoldenEye Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The Infection Method of GoldenEye Ransomware

The primary method by which this nasty infection was detected to spread is very sophisticated and very effective. For starters, the cyber-criminals behind the GoldenEye Petya Ransomware have taken advantage of the earlier detected leak of exploits by TheShadowBrokers hacking group, which released multiple exploits for Windows operating systems. One of those, named ETERNALBLUE may have also been used for the GoldenEye Petya virus. However, the actual method of infection is even more interesting – similar to Petya/NotPetya, the virus may get into enterprise computers via an update, quite contrary to what WannaCry ransomware did. Instead of update, the victims receive a malicious executable which is obfuscated to avoid detection by antivirus software. From there, the virus force restarts the computer and begins it’s malicious activity.

Other methods by which GoldenEye ransomware can infect your computer include spam e-mails which aim to get you to click on suspicious e-mail attachments.

GoldenEye Ransomware – Malicious Activity

The first thing done by GoldenEye ransomware is to cause a system restart by ending vital system processes on the infected computer. Then, the virus modifies specific firmware settings on the infected computer to allow it to run on boot. As soon as the victim PC is restarted, the virus begins to pretend that it is actually fixing the file system on your system drive. But if you see the screen below you should immediately switch off your computer and take out the drive to salvage the damage that is done by GoldenEye Petya on your computer.

The virus also encrypts the files on the compromised computers, adding completely random file extensions. The malware then sets the GoldenEye ransom lock screen which prompts to press a key:

If you see this image, this means that the MFT (Master File Table) is encrypted via the Salsa20 mode. The blinking skull is the same as the first Petya, but has a yellow-golden color. If you “PRESS ANY KEY!” GoldenEye leads you to the ransom note of the virus which prompts you to open a Tor-based web page:

The web page has the communism logo along with the name of the virus. It also has a step-by-step instructions on how to pay in BitCoin in order to get the files recovered. The GoldenEye ransomware has a chat, where you can communicate with the cyber-criminals.

When we sum it up, GoldenEye is basically an updated variant of the combined Petya and Mischa ransomware viruses. The cyber-criminals have updated it’s encryption algorithm and have even added captcha identification. For the moment security experts strongly advise victims not to pay any ransom to both Petya GoldenEye and Petna ransomware viruses primarily because they are believed to be developed as cyber-weapons and aim to render the entire drive of the infected computer unusable.

How to Restore Drives Encrypted by GoldenEye Petya

In the even that your computer has become a victim of this virus, at this point there is no direct solution either for GoldenEye Petya or NotPetya ransomware viruses. This is why we have designed a theoretical approach which is in no way guarantee that you will be able to recover your data, but will surely help out a lot in restoring at least some of your files. But first, you need to prepare:

Preparation Phase:

To try decrypting drives by GoldenEye ransomware, you will need the tools to work with first:

  • A screwdriver, corresponding to your desktop/laptop.
  • A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
  • SATA to USB cable – you can find it very cheap (around $2) in every tech store.
  • A secured laptop or desktop PC.

To secure a PC you will need to:

1. Backup all your files in it via a cloud backup software or other methods.

2. Download a relevant malware-protection program to scan the PC.

3. Download a decent data recovery program. Any program will do for you, as long as it supports lost partition recovery.

After having secured the computer, it is recommended to follow the instructions on the video we have made for the new Petya ransomware variants, including GoldenEye:


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share