Microsoft revealed that it had uncovered a dangerous malware being used to infect the systems of various businesses in Ukraine. According to a recent blog post, Microsoft Threat Intelligence Center (MSTIC) initially found the ransomware-like malware on January 13.
The disclosure comes days after Russian secret service-linked groups reportedly defaced more than 70 Ukrainian government websites. However, Microsoft stated that no noticeable correlations had been discovered between the malware found with the website attacks that occurred last week.
Microsoft went on to say that the malware’s goal is yet unknown, but all Ukrainian government institutions, non-profits, and businesses should be on the alert for it. They described the malware’s capabilities as “unique,” saying it initially seemed to be probable Master Boot Records (MBR) Wiper activity. The malware uses Impacket to infect a machine and overwrites the MBR with a ransom note seeking $10,000 in Bitcoin. It runs while a device is turned off, and Microsoft described it as “atypical” for cybercriminal ransomware to replace the MBR.
According to Microsoft’s investigation, even if a ransom letter is included, it is a fake ransomware campaign.
“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft explained.
The malware looks for files with dozens of popular file extensions in specific folders and overwrites their contents with a set quantity of 0xCC bytes. After that, the destructor renames each file with an apparently random four-byte extension.
This type of attack, according to Microsoft, is “inconsistent with cybercriminal ransomware activity” they’ve seen because ransomware payloads are generally tailored for each victim. Microsoft also stated that it was working on malware detections and offered a list of security advice for firms that may have been attacked.
While Microsoft did not ascribe the behavior to Russia, Rick Holland, CISO at Digital Shadows, believes it is not a significant analytical leap to link these malicious operations to Russian goals. He also said that the ransomware hoax offers the threat actor a thin veneer of plausible deniability, but the true breadth of the campaign is unknown, as Microsoft points out.
“Destructive ransomware won’t be the only option available to the attacker. If you look back at 3rd party attacks like last year’s SolarWinds, you could see similar-style campaigns where malicious actors have spent years undetected on Ukrainian victim networks,” as stated by Holland.
“This activity isn’t unprecedented; it is a part of Russian doctrine. Whether Russia encourages other actors or directs cyber operations themselves, Russia seeks to disrupt government and private institutions of their geopolitical opponents. We have seen similar playbooks in the 2007 denial of service attacks against Estonia, the cyber-attacks during the 2014 Crimea annexation, and the destructive malware used in the Petya and MeDoc attacks against Ukraine in 2017.”
As per Holland, the recovery procedure with damaging malware is complex and frequently depends on the security mechanisms in place before the attack. He projected that impacted firms might take days to weeks to recover, noting that it took Saudi Aramco more than a week to recover from Shamoon in 2012 and months for organizations to recuperate from NotPetya. John Bambenek of Netenrich reiterated Holland’s comments, claiming that Russia had previously used ransomware as a cover for harmful attacks.
