Microsoft has discovered “wiper” malware used to corrupt the systems of several organizations in Ukraine. In a blog post published on Saturday, the Microsoft Threat Intelligence Center (MSTIC) team indicates that it discovered this ransomware-type malware on January 13.
No clues to link malware and attacks
The news comes days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with the Russian secret service.
But Microsoft says it “found no significant association” between the malware it uncovered and the website attacks that took place last week. “MSTIC believes that the malware, which is designed to look like ransomware but lacks a ransom recovery mechanism, is intended to be destructive and aims to render targeted devices inoperable rather than obtain a ransom,” explains the software giant. software.
“Based on Microsoft’s visibility, our investigation teams have currently identified the malware on dozens of impacted systems and this number may increase as our investigation continues. These systems involve several government, non-profit and IT organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or the number of other victim organizations that may exist in Ukraine or other locations. »
Blurred lens
Microsoft says the exact purpose of the malware is still unclear, but all Ukrainian government agencies, nonprofits, and businesses should be wary of it.
According to Microsoft, it is a Master Boot Records (MBR) Wiper malware with “unique” capabilities. The malware runs through Impacket and overwrites a system’s Master Boot Record with a ransom note demanding $10,000 in bitcoins. Master Boot Record is the name given to the first addressable sector of a hard drive, which is executed first by the device when it boots. Once the device shuts down, the malware runs. Microsoft clarifies that it is “atypical” for cybercriminal ransomware to overwrite the MBR.
Even though a ransom note is included, it is a ruse, according to Microsoft’s analysis. The malware locates files in certain directories with dozens of the most common file extensions and overwrites the contents with a fixed number of 0xCC bytes. After overwriting the contents, the software renames each file with a seemingly random four-byte extension, Microsoft says.
Incompatibility “with ransomware activity”
This type of attack is “incompatible with cybercriminal ransomware activity” observed by Microsoft, because usually ransomware is personalized for each victim.
“In this case, the same mechanism was observed in several victims. Virtually all ransomware encrypts the contents of files on the file system. In this case, the malware overwrites the MBR without recovery mechanism. Payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminals’ ransom notes, but they were specified here,” Microsoft notes.
“The same bitcoin wallet address was observed in all intrusions and, at the time of analysis, the only activity was a small transfer on January 14. It is rare for the communication method to be just a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple contact methods (including email) to make it easier to get in touch with the victim. Most criminal ransom notes include a personalized ID that the victim has to send in their communications with the attackers. This is an important part of the process, as the custom ID corresponds to a victim-specific decryption key. In this case, the ransom note does not contain a personalized ID. »
Microsoft is creating detections for this malware. The company also provided a series of security recommendations for organizations that may have been targeted.
Source: ZDNet.com