Microsoft: ‘Destructive malware’ fakes ransomware to target Ukrainian orgs

Microsoft discovered a “destructive malware” that can wipe data on dozens of computer systems and mainly target organizations in Ukraine.

Microsoft Threat Intelligence Center (MSTIC) has discovered a “destructive malware” that can wipe data on dozens of computer systems and mainly target organizations in Ukraine.

Microsoft Threat Intelligence Center (MSTIC) researchers have published a report citing details of a malware campaign targeting Ukrainian tech organizations, government agencies, and non-profit organizations. 

The malware first surfaced on Ukrainian systems on 13 January 2022 and holds significance given the current geopolitical situation in the country. Many government websites were hacked between Thursday and Friday through the Kyiv-based firm Kitsoft, a well-known software vendor.

Reportedly, many Ukrainian government agencies’ websites were hacked this week, and attackers replaced the home page’s content with threatening messages to the government, revealing that their data has been compromised.

Microsoft researchers explain that the destructive computer code poses an “elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine.”

Possible Perpetrators?

Ukraine’s national security and defense council’s deputy secretary, Serhiy Demedyuk, stated that the government suspects a hacking group having ties with Belarusian intelligence could be responsible for this hacking.

But, Microsoft stated that it is currently unclear who’s responsible for the hacks. Yet, due to geopolitical tensions between Russia and Ukraine, the involvement of Russian hackers can not be ruled out.

Technical Analysis

Researchers wrote that it looked like a Master Boot Records (MBR) Wiper activity initially. The malware is executed through Impacket and overwrites the system’s MBR with a fake ransom note demanding $10,000 in Bitcoin from the victim. After the device shuts down, the malware is executed.

Microsoft: Destructive malware' mimicking ransomware to target Ukraine
Screenshot of the ransom note which according to Microsoft is fake

Researchers noted that it is unlike other cybercriminal ransomware because, in this campaign, the malware overwrites the MBR and that despite uploading ransom notes, it could be just a trick since the malware locates files in specific directories with dozens of common file extensions and overwrites them with a fixed number of 0xCC bytes.

Afterward, the destructor renames every file with a random 4-byte extension.

Types of extensions identified by Microsoft

An Atypical Malware

According to MSTIC, the computer code used to destruct Ukrainian agencies’ computers is designed to appear like ransomware. However, it lacks the common features of ransomware and didn’t carry out commonly observed cybercriminal ransomware activities.

“In this case, the same ransom payload was observed at multiple victims. Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery. Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes but were specified by DEV-0586,” Microsoft’s blog post read.

Kitsoft claims that it is in contact with the government and helping in bringing the websites back online. On the other hand, in a tweet, the United States Computer Emergency Readiness Team (US-CERT) has urged “network defenders” to review the Microsoft blog on destructive malware targeting Ukrainian organization.

Related Posts