Bitcoin Ransomware Hits Ukraine’s Ministry of Energy website

The official website of Ukraine’s Ministry of Energy and coal was hit by a ransomware attack, as a result, the website has been compromised by malicious hackers asking for ransom in Bitcoin.

The attack took place at 7.34am GMT today when hackers left a message on the website in English demanding ransom payment in Bitcoin to get the key for encrypted files of the ministry.

The hacker who goes by the online handle of “X-Zakaria” demanded a 0.1 Bitcoin ransom ($948 – €773 – £665) along with providing his Gmail account for authorities to get in touch with him and how to pay the ransom.

Bitcoin Ransomware Hits Ukraine's Ministry of Energy website
Screenshot of the ransom note left by the hacker on the ministry’s website

According to Reuters, the ransomware attack seemed to be an isolated incident with no other government websites or systems affected. However, researchers at cybersecurity giant AlienVault believe that the attack involved two different hackers where the first hacker X-Zakaria defaced the ministry’s website and another hacker took used a backdoor to lock the files on the website and left a ransom note.

AlienVault also noted that the same hackers have been compromising other websites and so far only made $139. A look at the Blockchain address of the hackers confirms the duo did not make much money from their attacks.

A look at Ukraine’s Ministry of Energy website’s cache shows it is using Drupal 7 content management system (CMS) which was recently reported to be vulnerable to hacking attacksDubbed as Drupalgeddon2, the vulnerability was also exploited by malicious hackers to install cryptocurrency miners to mine for Monero coins.

See: How To Prevent Growing Issue of Encryption Based Malware (Ransomware)

Commenting on the attack, James Lerud, head of the Behavioural Research Team, Verodin, said since the attack took place on a high-profile target that draws attention worldwide.

“Ukraine is often the target of Russian hacking, adding to that the incident also involves the energy sector and ransomware; a combination that is sure to draw attention. It appears that this attack was from someone (or a group) who uses automation to mass scan and then compromise vulnerable websites with ransomware. It is likely that the operators of this did not know that they were going to compromise this website going into it,” said Lerud.

“Looking at cached versions of the website it appears that the site was using Drupal 7. The presence of artifacts that give away what code they are running could suggest that the website administrators did not go out of their way to lock down the site. Drupal 7 also had a massive vulnerability known as “Drupalgeddon 2″ which was announced March 28th; if the website owners did not patch it is entirely possible this is how the ransomware got in.”

Why Ukraine?

Ukraine seems to have vulnerable cyberinfrastructure since Petya or NotPetya also known as Goldeneye ransomware initially started its infection from Ukraine by compromising computer systems at supermarkets, telecom, airports, banks and the power grid.

An ATM in Kiev shows a full preview of the GoldenEye ransom note (Image Credit: Twitter)

In the attack, malicious attackers demanded $388 worth of Bitcoin. On the other hand, the United Kingdom and the United States blamed Russia for using Petya ransomware attack against Ukraine for the ongoing crisis between both countries.

At the time of publishing this article, the targeted ministry website was offline. It is unclear if the ministry has paid ransom to the hackers or not.

The spokeswoman for the ministry said that “Our specialists are working on it right now. We do not know how long it will take to resolve the issue.”

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.