Microsoft claims ‘destructive malware’ is being used against Ukrainian organizations
Microsoft said it discovered destructive malware used to corrupt the systems of several organizations in Ukraine. In one blog published on saturday, Microsoft Threat Intelligence Center (MSTIC) said it first discovered the ransomware-type malware on January 13.
The news comes days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with the Russian secret service. But Microsoft said it “found no notable association” between the malware it found and the website attacks that occurred last week.
“MSTIC assesses that the malware, which is designed to look like ransomware but lacks a ransom-recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft explained.
“At this time and based on Microsoft’s visibility, our investigation teams have identified the malware on dozens of affected systems and this number may increase as our investigation continues. These systems span multiple organizations governmental, non-profit, and information technology organizations, all based in Ukraine.. We do not know the current stage of this attacker’s operational cycle or the number of other victim organizations that may exist in Ukraine or in other geographies, however these affected systems are unlikely to represent the full extent of the impact as reported by other organizations.
Microsoft added that it’s still unclear what the purpose of the malware is, but said all Ukrainian government agencies, nonprofits and businesses should be on the lookout.
They said it initially appeared to be possible Master Boot Records (MBR) eraser activity and called the malware’s capabilities “unique”.
The malware runs via Impacket and overwrites the MBR on a system with a ransom note demanding $10,000 in Bitcoin. Once a device shuts down, the malware runs, and Microsoft said it’s “atypical” for cybercriminal ransomware to overwrite the MBR.
Even though a ransom note is included, it is a ruse, according to Microsoft’s analysis. The malware locates files in certain directories with dozens of the most common file extensions and overwrites the contents with a fixed number of 0xCC bytes. After overwriting the contents, the shredder renames each file with a seemingly random four-byte extension, Microsoft explained.
Microsoft said this type of attack is “inconsistent with the cybercriminal ransomware activity” they have observed because usually ransomware payloads are personalized for each victim.
“In this case, the same ransomware payload has been observed in multiple victims. Virtually all ransomware encrypts file contents on the file system. In this case, the malware overwrites the MBR with no recovery mechanism. The amounts Explicit payment details and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586,” Microsoft explained.
“The same bitcoin wallet address was observed in all DEV-0586 intrusions and at the time of analysis the only activity was a small transfer on January 14. It is rare for the communication method to be a Tox ID only, an identifier for use with the Tox encrypted messaging protocol.Typically, there are websites with support forums or multiple contact methods (including email) to make it easier for the victim to get in touch. Most criminal ransom notes include a custom ID telling the victim to send their communications to the attackers.This is an important part of the process where the custom ID is mapped on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.”
Microsoft added that it was creating detections for the malware and provided a list of security recommendations for organizations that may have been targeted.
Rick Holland, CISO at Digital Shadows, told ZDNet that while Microsoft doesn’t attribute the activity to Russia, it’s not terribly difficult to associate these malicious actions with Russian interests.
The ransomware trickery, he said, gives the threat actor a thin veneer of plausible deniability, but as Microsoft points out, the full scope of the campaign is unclear.
“Destructive ransomware won’t be the only option available to the attacker. If you look at third-party attacks like SolarWinds from last year, you might see similar style campaigns where malicious actors went years undetected. on Ukrainian victim networks,” Holland said. .
“This activity is not without precedent; it is part of the Russian doctrine. Whether Russia encourages other actors or directs cyber operations itself, Russia seeks to disrupt the governmental and private institutions of their geopolitical adversaries. 2007 denial of service attacks against Estonia, cyberattacks during the annexation of Crimea in 2014, and the destructive malware used in the Petya and MeDoc attacks on Ukraine in 2017.”
Holland noted that the recovery process with destructive malware is difficult and can often depend on the security controls that were in place before the attack. He estimated that it could take days or even weeks for affected organizations to recover, explaining that it had taken more than a week for Saudi Aramco to recover from Shamoon in 2012 and months for organizations to recover. are recovering from NotPetya.
Netenrich’s John Bambenek echoed Holland’s remarks, telling ZDNet that Russia has used ransomware as a cover for destructive attacks in the past.
“The typical Russian ploy is to leave just enough ambiguity to assert in public that it wasn’t them, but to leave enough fingerprints that everyone in the room knows it was them for project a chilling effect on other countries in the region. Recovery depends on each entity but Ukraine has a long history of responding to and recovering from Russian sabotage attacks,” Bambenek said.
“MBR and other windshield wipers are quite common. We haven’t seen many of these in recent years, but the tool has always been in the toolbox when the mission is sabotage.”