Aerial view of Kyiv, Ukraine showing destructive malware

Microsoft Security Report: Destructive Malware Found To Be Targeting Ukrainian Organizations

A recent run of attacks on Ukraine government websites is being followed up by “ransomware without the ransom” attempts on a broader range of organizations, according to the Microsoft Threat Intelligence Center (MSTIC). The destructive malware that is currently being spread acts like ransomware in that it locks up target systems by encrypting key files, but there is no payment option or any apparent way to get the threat actor to reverse the attack.

The use of ransomware without an accompanying ransom demand is extremely unusual, especially for such a broad campaign, a sign that Russia’s state-backed threat actors are once again responsible. The current campaign of destructive malware is targeting Ukraine’s government organizations, but also non-profit entities and private companies in the information technology industry.

Destructive malware spreads in Ukraine, Recalling 2017 NotPetya attack

Though it would appear to be the work of Russian hackers given the geopolitical circumstances, MSTIC stresses that the threat group behind this destructive malware (dubbed DEV-0586, with the malware given the name “Whispergate”) has not yet been concretely linked to the actions of any other hacking group. The first attacks were spotted on January 13.

MSTIC says that the malware has been found on “dozens” of systems thus far, belonging to both public and private organizations. Among private groups there seems to be a focus on organizations with a connection to the government and IT service providers. They warn that this is also not the full count of likely victims and that the “full scope” of the destructive malware is not yet apparent, particularly in cases where it may have migrated outside Ukrainian borders. MSTIC is assuming nation-state activity for the purposes of reporting policy, however, and says it will directly contact any party it thinks is being targeted to warn them.

The attacker apparently uses a standard procedure that starts with overwriting the Master Boot Record (MBR) with a fake ransom note asking for $10,000. Though the note contains contact information and a Bitcoin wallet address, MSTIC says that this is all fake and the real purpose of the destructive malware is to destroy files on the target device (which will happen immediately no matter what the recipient does). The MBR is also overwritten in such a way that it cannot be recovered. When the device is powered down, the malware will look for files with certain extensions (about 250 commonly used types) and corrupt them beyond repair.

MSTIC says that it has added protections against this attack to its Microsoft Defender products and advises targets to review all authentication activity for remote access infrastructure and to enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification among other suggested security steps.

The whole incident brings to mind the spread of NotPetya malware in 2017, another incident that began with specific attacks on organizations in Ukraine. This was particularly destructive malware as it escaped its intended theater of operation (starting out in Ukrainian tax preparation software) and spread throughout the world, causing an estimated total $10 billion in damage and hitting international firms such as FedEx and Merck. Like the current attack, NotPetya posed as ransomware asking for a relatively small payment but was in fact destroying files to a point beyond repair as soon as it established itself on a target system.

Destructive malware looks like an extension of Russian cyber aggressions, but plausible deniability remains

Though there is little information on the source of this destructive malware at present, the Ukraine government fingered a Belarus intelligence service as the perpetrator of the other recent cyber attack that defaced some 70 government websites. The spy agencies of Russia and Belarus have a cooperative working agreement that dates back to at least mid-2021.

Russian attacks of this nature also date back more than a decade. The country is believed to have been toying with Ukraine since at least 2014, but similar defacement and denial of service attacks have been committed against Georgia since 2008 and Estonia since 2007. Russia always maintains at least some thin layer of plausible deniability in these attacks, but it is difficult to think of another actor that would pour so much energy into efforts that merely destroy assets and bring no other rewards.

Recovering from an attack of this type, something that is essentially “cyber warfare,” also presents a unique challenge for organizations. With ransomware, the dilemma is often whether or not to pay the ransom and hope for the attacker to keep their word about decrypting files (something that appears to have at least a fair rate of success). Victims who have files irreparably corrupted can do nothing but restore from backups (assuming proper uncorrupted backups are available). There is at least one small positive, however, in that it does not appear that this destructive malware is exfiltrating sensitive information before it begins attacking.

#Cyberattack apparently uses a standard procedure that overwrites the MBR with a #ransomware note asking for $10,000. Though the note contains contact information and a Bitcoin wallet address, MSTIC says that this is all fake. #cybersecurity #respectdataClick to Tweet

Rick Holland, Chief Information Security Officer and Vice President of Strategy at Digital Shadows, provides some insight on what victims can expect: “The recovery time will depend on the security controls in place and the business continuity capabilities of each victim. Recovery time could range from days to weeks on the conservative side. It took Saudi Aramco more than a week to recover from Shamoon in 2012, and more recently, recovering from NotPetya’s destructive attacks was measured in months and years.”


Senior Correspondent at CPO Magazine