Microsoft has detected a major malware wiper campaign targeting government, IT and non-profit organizations across Ukraine.
Dubbed “WhisperGate,” the attacks were first spotted on January 13, at around the same time that over a dozen government websites were forced offline in what was described as a “massive” cyber-attack.
Although Microsoft said it had not noticed any links between the destructive malware campaign, tracked as DEV-0586, and previous known activity groups, it comes at a time of heightened tensions with Russia, which is once again threatening Ukraine with invasion.
The malware, “which is designed to look like ransomware but lacking a ransom recovery mechanism,” has been found on “dozens” of systems, although it may have spread far wider, Microsoft warned.
“The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by the Microsoft Threat Intelligence Center (MSTIC),” the blog post noted.
“The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and that the malware destructs MBR and the contents of the files it targets.”
The second stage malware is hosted on a Discord channel and designed to locate specific file extensions, overwrite the contents, and rename the file with a random four-byte extension.
Microsoft urged affected organizations to search for the relevant IoCs, investigate any anomalous authentication activity and enable multi-factor authentication (MFA) and controlled folder access (CFA) in Microsoft Defender to prevent MBR modification.
Senior manager for tactical defense at F-Secure, Calvin Gan, argued that WhisperGate has echoes of the infamous NotPetya campaign tied to the Russian state.
“With the usage of wiper malware, it is clear that the attackers are not after financial gain but are more motivated to cripple the target operations. Overwriting the MBR would render the machine unbootable, thus making recovery impossible, especially when the malware also overwrites file contents before overwriting the MBR,” he said.
“While the attacker’s true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment, having it targeting government agencies and associated establishments is a sign that they want operations in these organizations ceased immediately. Perhaps the Bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smokescreen to divert the attention of the attacker’s true intention of the attack while making it harder to track them.”