The global ransomware epidemic is just getting started

WannaCry should have been a major warning to the world about ransomware. Then the GoldenEye strain of Petya ransomware arrived. What’s next?

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Petya ransomware cyber attack

The Petya ransomware has spread across the world at an alarming rate.

Donat Sorokin\TASS\Getty Images

Thousands of computers around the world are getting locked up by a fast-spreading ransomware. Big businesses are getting hit. An entire hospital is shut out of its system. Suddenly, it's everywhere: the next big ransomware attack.

Here we go again. And again and again and again and again.

GoldenEye, a new strain of the Petya ransomware, took the world by storm on Tuesday after starting with a cyberattack in Kiev, Ukraine. From there, it spread to the country's electrical grid, airport and government offices. At the Chernobyl nuclear disaster site, workers had to monitor radiation manually because of the attack. And then it began to go global.

Russia's largest oil production company, Rosneft, suffered a cyberattack. Denmark-based Maersk, the largest shipping company in the world, had to shut down several of its systems to prevent the attack from spreading. New Jersey-based Merck, one of the largest pharmaceutical companies in the world, also suffered a massive hack. FedEx's TNT Express service was hit hard from the breach as well.

The list of affected victims goes on, just like it did when the WannaCry ransomware hit in May and locked up more than 200,000 computers across the globe.

It only took 44 days for GoldenEye to stare us down. 

Ransomware has been around for years but generally only targeted individual networks, like a single hospital or person. But after the Shadow Brokers hacker group leaked National Security Agency exploits in April, cybercriminals were handed a much more dangerous weapon.

The NSA's EternalBlue exploit, which took advantage of a Windows PC's ability to quickly spread files across a network, is the ammunition that powers both WannaCry and GoldenEye. 

With the exploit, you don't need to be breached personally to get infected.

Even if you're a responsible user on an updated computer, someone on your network could be tricked into downloading malware through emails or a loaded Word document.

It's why you're seeing attacks on this scale and why the word "unprecedented" keeps getting thrown around.

Imagine fishing with a single rod and then suddenly you're given a giant net. For hackers, it's time to head out to sea.

Ransomware 2.0

The mix of the NSA's hacking tools with normal malware has created a toxic combination, especially since you can essentially go shopping for malware. GoldenEye is a variant of Petya, which was sold on forums on the dark web since last April as a ransomware service: The buyers get 85 percent of the profit, while the malware's creators reap 15 percent.

"You don't have to be a cyber wiz to inflict cyber damage," Michael Daly, chief technology officer at Raytheon Cybersecurity, said in an email. "Various do-it-yourself kits are available as well as ransomware as an outsourced service on the deep web forums."

The malware has gotten smarter, too. WannaCry, despite its fame, was fairly basic. A researcher accidentally discovered its killswitch after experimenting with a registered domain name.

Compared with GoldenEye, WannaCry looks like it was written by amateurs. Using Petya, the new ransomware attack not only encrypts crucial files but your entire hard drive and then forces your computer to restart.

It also deletes the computer's event logs to cover its tracks and hide from analysts, said Mark Mager, a security researcher at Endgame.

"Forensic analysts will be unable to access this data that would be useful to their investigation," Mager said in a direct message.

And you can't just accidentally find the killswitch again. Amit Serper, a Cybereason researcher, found a way to block GoldenEye by creating a file on your hard drive, but it won't shut down every infection like the WannaCry killswitch.

Marcus Hutchins, better known as Malware Tech and the researcher who found the WannaCry fix, said a fix for GoldenEye would not be "doable remotely."

The fix isn't in

WannaCry was supposed to be a wake-up call for people to update their computers with the latest software. But it appears people just forgot about the attack and went on with their lives.

Avast, an antivirus company, found that 38 million PCs scanned just last week still have not patched their systems. That's after Microsoft released special patches so that outdated computers running on Windows XP and earlier versions could be protected from the NSA exploits.

Considering that not everybody uses Avast, Jakub Kroustek, Avast's threat lab lead, inferred that the "actual number of vulnerable PCs is probably much higher."

Microsoft did not respond to requests for comment.

Evidently, WannaCry was not the tipping point for people to actually act, and if the trend continues, GoldenEye won't be either.

The attacks are getting smarter, making more money and being sold as tools. And people are leaving themselves vulnerable.

I'll see you in a month for the next massive attack.

Special Reports: CNET's in-depth features in one place.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.