Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again
Image: The Record, Rostislav Artov
Catalin Cimpanu January 16, 2022

Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again

Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again

Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.

The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.

Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.

The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.

Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.

The malware corrupts files, rewrites MBR, hides as ransomware

The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.

In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.

“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

At the time of writing, the attackers’ Bitcoin address only contains one payment of $5, even if the ransom request is for $10,000.

No formal attribution just yet

Microsoft researchers said they weren’t yet able to link the group to any known threat actor and are currently tracking the attackers under the temporary codename of DEV-0586.

The attack comes on the heels of failed talks between Russia and the US and threats of a Russian invasion.

Ten Ukrainian government websites were also defaced on Friday after hackers compromised the IT systems of a government contractor responsible for managing the affected servers.

Taking past events and the geo-political situation, the chances are that this attack is very likely carried out by a Russian cyber-espionage group as well.

The US and their Five Eyes allies formally attributed both the NotPetya and BadRabbit attacks to a Russian hacking group known as APT28 (or Fancy Bear).

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.