This article aims to help you restore encrypted files from your hard drive if it has been infected by Petya GoldenEye Ransomware (other variant is known as Petya Eternal, ExPetr, PetrWrap, NotPetya).
The new ransomware outbreak of GoldenEye ransomware has been reported to target primarily Ukraine, but the malware quickly spread all over the world. This virus aims to encrypt all of the files on a hard drive and the MBR of the drive itself, making it virtually impossible for you to restore your files even if you pay the ransom. Researchers at Kaspersky have detected that the encryption routine of the new Petya/NotPetya virus is designed so that even if a payment is made, the ones behind the virus cannot decrypt your hard drive, even if they wanted to. So if your computer has been infected by this latest GoldenEye variant, you should also not pay the ransom and read this article to learn how to try and get your data back.
Threat Summary
| Name | GoldenEye Ransomware |
| Type | Ransomware, Cryptovirus |
| Short Description | Separate variant of Petya/NotPetya ransomware. Encrypts the MFT (Master File Table) and the files on the infected computer, demanding $300 ransom payoff. |
| Symptoms | A reddish lock-screen on boot, demanding $300. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool | See If Your System Has Been Affected by GoldenEye Ransomware Download Malware Removal Tool | User Experience | Join Our Forum to Discuss GoldenEye Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
The Infection Method of GoldenEye Ransomware
The primary method by which this nasty infection was detected to spread is very sophisticated and very effective. For starters, the cyber-criminals behind the GoldenEye Petya Ransomware have taken advantage of the earlier detected leak of exploits by TheShadowBrokers hacking group, which released multiple exploits for Windows operating systems. One of those, named ETERNALBLUE may have also been used for the GoldenEye Petya virus. However, the actual method of infection is even more interesting – similar to Petya/NotPetya, the virus may get into enterprise computers via an update, quite contrary to what WannaCry ransomware did. Instead of update, the victims receive a malicious executable which is obfuscated to avoid detection by antivirus software. From there, the virus force restarts the computer and begins it’s malicious activity.
Other methods by which GoldenEye ransomware can infect your computer include spam e-mails which aim to get you to click on suspicious e-mail attachments.
GoldenEye Ransomware – Malicious Activity
The first thing done by GoldenEye ransomware is to cause a system restart by ending vital system processes on the infected computer. Then, the virus modifies specific firmware settings on the infected computer to allow it to run on boot. As soon as the victim PC is restarted, the virus begins to pretend that it is actually fixing the file system on your system drive. But if you see the screen below you should immediately switch off your computer and take out the drive to salvage the damage that is done by GoldenEye Petya on your computer.
The virus also encrypts the files on the compromised computers, adding completely random file extensions. The malware then sets the GoldenEye ransom lock screen which prompts to press a key:
If you see this image, this means that the MFT (Master File Table) is encrypted via the Salsa20 mode. The blinking skull is the same as the first Petya, but has a yellow-golden color. If you “PRESS ANY KEY!” GoldenEye leads you to the ransom note of the virus which prompts you to open a Tor-based web page:
The web page has the communism logo along with the name of the virus. It also has a step-by-step instructions on how to pay in BitCoin in order to get the files recovered. The GoldenEye ransomware has a chat, where you can communicate with the cyber-criminals.
When we sum it up, GoldenEye is basically an updated variant of the combined Petya and Mischa ransomware viruses. The cyber-criminals have updated it’s encryption algorithm and have even added captcha identification. For the moment security experts strongly advise victims not to pay any ransom to both Petya GoldenEye and Petna ransomware viruses primarily because they are believed to be developed as cyber-weapons and aim to render the entire drive of the infected computer unusable.
How to Restore Drives Encrypted by GoldenEye Petya
In the even that your computer has become a victim of this virus, at this point there is no direct solution either for GoldenEye Petya or NotPetya ransomware viruses. This is why we have designed a theoretical approach which is in no way guarantee that you will be able to recover your data, but will surely help out a lot in restoring at least some of your files. But first, you need to prepare:
Preparation Phase:
To try decrypting drives by GoldenEye ransomware, you will need the tools to work with first:
- A screwdriver, corresponding to your desktop/laptop.
- A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
- SATA to USB cable – you can find it very cheap (around $2) in every tech store.
- A secured laptop or desktop PC.
To secure a PC you will need to:
1. Backup all your files in it via a cloud backup software or other methods.
2. Download a relevant malware-protection program to scan the PC.
3. Download a decent data recovery program. Any program will do for you, as long as it supports lost partition recovery.
After having secured the computer, it is recommended to follow the instructions on the video we have made for the new Petya ransomware variants, including GoldenEye:
