What is golden eye ransomware?

by
What is golden eye ransomware

Golden eye ransomware is a type of malicious software that encrypts files on a victim’s computer and demands a ransom payment in order to restore access. It has been actively targeting organizations around the world since at least the beginning of 2022.

What does golden eye ransomware do?

Like other ransomware variants, golden eye ransomware encrypts files on infected systems using a complex algorithm. This renders files inaccessible and essentially locks users out of their own data. The ransomware displays a ransom note demanding payment, usually in the form of cryptocurrency such as Bitcoin, in exchange for the decryption key needed to restore file access.

In addition to encrypting files, golden eye ransomware may also:

  • Encrypt Windows system files, rendering the operating system unusable
  • Steal data and threaten to publish or sell it online
  • Disable and overwrite Windows Shadow Volume copies, making file recovery more difficult
  • Modify or delete Windows System Restore points
  • Disable or modify antivirus software and other security tools to prevent removal

The ransom note left on infected systems claims that files will be permanently lost if the ransom is not paid. However, even if paid, there is no guarantee that files will be recovered. Victims are faced with either paying the ransom or trying to restore systems from backups.

How does golden eye ransomware infect systems?

Golden eye ransomware relies on various methods to infect targets, including:

  • Phishing emails – Malicious emails with infected attachments or links are sent to potential victims. If they open attachments or click links, golden eye can download and execute on their systems.
  • Exploit kits – Legitimate websites compromised to host exploit code targeting browser or application vulnerabilities. Drive-by downloads occur when users visit the sites.
  • Remote desktop protocol (RDP) access – Brute force attacks on internet-facing RDP ports enable access to deploy the ransomware inside networks.
  • Software vulnerabilities – Exploits targeting unpatched software flaws to execute arbitrary code and download the ransomware payload.

Initial access enables golden eye operators to infiltrate networks, elevate privileges, move laterally, and deploy ransomware across many systems and servers simultaneously.

What are the origins of golden eye ransomware?

Golden eye ransomware appears to have first emerged in early 2022, though its origins are unclear. Based on technical analysis, it exhibits code similarities with other ransomware strains like Hive, suggesting code reuse and evolution from other ransomware codebases.

Researchers have attributed golden eye ransomware operations to financially motivated cybercriminal groups. The ransomware takes its name from references to James Bond found in the code. Attackers use underground forums to sell access to compromised networks to other criminals, who then deploy golden eye to encrypt systems for ransom.

How does golden eye ransomware compare to other ransomware?

Golden eye exhibits capabilities commonly seen in modern ransomware operations:

  • Double extortion – Stealing and threatening to leak data in addition to encrypting files.
  • Initial access brokers – Third party criminals sell access for deployment of the ransomware.
  • Ransomware-as-a-Service (RaaS) – Affiliates conduct campaigns using golden eye malware leased from the developers.
  • Multistage malware – Droppers, loaders, and other tools used to distribute the ransomware onto systems.

However, golden eye also has some distinct traits:

  • Enables ransom amounts to be configured per device or network
  • Built-in functions for attacking Hyper-V and VMware ESXi virtual machines
  • Avoids systems with Russian or Belarusian keyboard layouts
  • Leverages the AnyDesk remote desktop tool in attacks

Its customizable ransom demands and virtual machine targeting capabilities show golden eye continuing to evolve more sophisticated, profit-driven techniques.

What are notable golden eye ransomware attacks?

Some major organizations reported to be impacted by golden eye ransomware campaigns include:

  • Blackbaud – Cloud computing provider serving non-profit clients and universities.
  • Conduent – Business services and solutions company supporting transportation, healthcare, and other sectors.
  • Forbes – American business magazine.
  • Ubisoft – Major video game developer known for titles like Assassin’s Creed and Far Cry.

Golden eye disrupted IT systems, causing outages that impacted operations and customer service. Ransoms as high as $14 million were demanded from some victims. Several organizations admitted that sensitive data was exfiltrated during the attacks.

How can organizations defend against golden eye?

Defense strategies to reduce exposure to golden eye ransomware include:

  • Applying timely security updates to software and operating systems
  • Using strong passwords and multi-factor authentication
  • Restricting RDP access and putting it behind a VPN when possible
  • Monitoring for threats and suspicious activity on networks
  • Filtering emails and blocking suspicious attachments/links
  • Developing and testing incident response plans for ransomware
  • Backing up data regularly and keeping backups offline and immutable
  • Using endpoint detection and response (EDR) solutions
  • Conducting cybersecurity awareness training for staff

Taking both preventative and Detective measures is key to reduce the risk of ransomware incidents.

What should you do if infected with golden eye ransomware?

Steps to take if golden eye ransomware is detected in your environment:

  1. Immediately isolate and power off infected systems to prevent further spread of encryption.
  2. Determine scope of compromise across network using EDR tools if possible.
  3. Notify leadership and activate incident response plans.
  4. Contact law enforcement and cybersecurity professionals for support.
  5. Evaluate options for restoration from backups versus paying ransom.
  6. Take infected systems offline and restore from clean backups once threats are removed.
  7. Conduct forensics to determine root cause, enhance detections, and prevent reinfection.
  8. Report the incident through official channels like CISA or MS-ISAC.

Do not communicate with actors, attempt to pay the ransom, or open unknown file attachments without professional guidance, as this can worsen the situation.

Conclusion

Golden eye ransomware presents a serious threat to businesses and institutions around the world. Its customizable ransom demands and evolving tactics make it a dangerous, profit-seeking ransomware strain. Organizations must secure internet-facing systems, limit lateral movement, and adopt layered defenses to detect and respond to minimize disruption from golden eye attacks.

Backing up critical data and having an updated incident response plan are key to navigating a ransomware attack. Seeking help from cybersecurity professionals at the first sign of compromise can help contain the spread and enable faster recovery. While the malware continues to develop, defenders can take proactive measures and exercise cyber resilience to manage the risks posed by destructive threats like golden eye ransomware.

Leave a Comment