The 2018 Pyeongchang Winter Olympics cyber attack was found to be caused by a malware called the Olympic Destroyer Virus. The initial code analysis reveals that this is an advanced Trojan that recruits the impacted systems into a worldwide botnet network. It can also be used to institute ransomware and other additional viruses.
|Short Description||The Olympic Destroyer Virus is an advanced virus that can delete important files and recruits the infected host to a worldwide botnet network.|
|Symptoms||In most cases the victims may not be able to spot any infection symptoms. In certain cases applications and services may stop working.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Olympic Destroyer |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Olympic Destroyer.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Olympic Destroyer Virus – Distribution
The Olympic Destroyer Virus has become famous as this is the virus that was able to penetrate the 2018 Winter Olympics in Pyeongchang. At the moment the released details showcase that the threat has been deployed using a Wi-Fi network. Media reporters on location shared that shortly before the ceremony the Wi-Fi access stopped working due to technical difficulties. A spokesperson later issued a statement that the technical problems affected several areas of the Games without revealing further information. However many guests and reporters reported that they started receiving malware emails which means that the Olympic Destroyer Virus has probably penetrated the internal network. Using the obtained information we can deduce a few potential infection distribution tactics delivering the Olympic Destroyer Virus samples.
The hackers behind the virus may have targeted a particular software vulnerability using an automated penetration testing framework. These utilities are loaded with exploits for many of the most commonly used services. It is possible that the event organizers have employed an outdated version of a certain software services which was hijacked.
Another possibility is the active distribution of the Olympic Destroyer Virus through email messages to users of the internal network. In such cases the malware operators can uses various social engineering scams. There are two primary ways the email messages can be customized. One of them is the direct attachment of the virus files to the messages. The victim recipients are instructed to download and run them. Another prominent strategy is to send the ransomware file through a hosted instance. In this case malware hyperlinks are used to direct the intended victims into them.
When mass infections are intended the hackers can also take advantage of browser hijackers. They have the ability to modify the settings of the installed web browsers and are usually compatible with the most popular apps: Microsoft Edge, Internet Explorer, Google Chrome, Opera and Safari. The default behavior is to redirect the users to a hacker-controlled page, as well as infect the victims with viruses.
Other techniques include the use of infected documents that may be of different types: rich text documents, spreadsheets and presentations. The hackers customize them to appear as files of interests: invoices, letters, notifications or contracts. As soon as they are opened a prompt pops up and asks them to execute the built-in scripts (macros). Once this is done the virus infection follows.
A similar technique is the use of software installers that represent modified instances of popular software. The malware operators usually take the legitimate installers from the official vendor sites and modifying them to include the dangerous code. They are then uploaded to counterfeit download sites or sent using email message campaigns. Note that such files are also actively distributed on file sharing networks such as BitTorrent.
Olympic Destroyer Virus – Impact
The captured Olympic Destroyer Virus have been found to be based on a modular framework. Once the virus engine has found a way to penetrate the target system it starts to look out for security software and other applications that may interfere with its processes. Like other advanced malware it is able to counter and bypass the real-time security engines of anti-virus products and has been found effective against debuggers, sandboxes and virtual machines as well. We remind our readers that the hackers can also instruct the samples to delete themselves if they are unable to do so. This step is made in order to counter post-intrusion detection.
Once this is done the ransomware engine continues further by launching an elaborate information gathering module which is able to query sensitive information found in the infected machines. At the moment we have received confirmation that the bulk of data is related to the regional language settings and system data. This includes details about the computers such as their operating system.
A series of dangerous system changes follow that can make manual removal impossible without the use of a quality anti-spyware solution, refer to our in-depth guide after the analysis. The Olympic Destroyer Virus is extremely sophisticated as it can delete a number of important parts of the operating system: Shadow Volume copies (that make data recovery difficult), backups and certain Windows registry values. As a consequence the victims will find that data recovery will be difficult and that they will need to use a professional-grade software. The users can also experience serious performance issues and discover that certain services or applications may fail.
The main infection module has the ability to interfere with the boot options which in effect also disables the recovery options. By hooking up to system services it can masquerade itself from analysis and can spawn its own processes using both user and administrative privileges. The virus allows the hacker operators to execute arbitrary commands on the infected machines. Such use can allow the criminal operators to insitute additional malware including Trojans. They allow the computer system to be spied upon in real time. The hackers can also overtake control of the machines at any given time.
Such threats can be modified to include a ransomware component which can encrypt sensitive files based on a predefined list of target file type extensions. The files are encrypted using a powerful cipher and can be renamed with different extensions which can be customized according to the malware version or attack campaign. Usually after this is done the hackers create special documents called ransom notes that blackmail the victims for a ransom fee. The money is usually quoted in a cryptocurrency where the transactions cannot be traced down to a certain individual or group.
According to the security reports the main goal of the infections is to recruit the host to a worldwide network of zombie nodes that can be used to launch devastating denial of service attacks. Once all infection components have completed execution the virus spreads to other hosts via a network worm propagation technique. This is the reason why it is considered a high-risk threat.
How to Remove Olympic Destroyer Virus and Restore Files
Тo remove Olympic Destroyer ransowmare just follow the step-by-step removal guide below which provides both manual and automatic approaches. Due to the complexity of ransomware code, security researchers recommend the help of advanced anti-malware tool that guarantees maximum efficiency.
Once the removal is complete, alternative data recovery approaches could be also found in the guide. They may be useful for the restore of some encrypted files. Be advised to back up all encrypted files to an external drive before you proceed with the recovery process.