‘Destructive malware’ is being deployed against Ukrainian enterprises, according to Microsoft

Microsoft has uncovered a dangerous virus that is being used to infect the systems of various businesses in Ukraine, according to the company. Microsoft Threat Intelligence Center (MSTIC) initially found the ransomware-like software on January 13, according to a blog post published on Saturday.

The disclosure comes just days after Russian secret service-linked groups reportedly defaced more than 70 Ukrainian government websites. However, Microsoft said that “no noticeable correlations” have been discovered between the malware discovered with the website assaults that happened last week.

“MSTIC thinks that the virus, which seems to be ransomware but lacks a ransom recovery mechanism, is meant to be damaging and designed to make targeted machines useless rather than to extract a ransom,” Microsoft added.

“Our investigative teams have found the malware on dozens of afflicted computers so far, based on Microsoft visibility, and that number might rise as our investigation continues. Multiple government, non-profit, and information technology groups headquartered in Ukraine are involved in these systems. We don’t know where this attacker is in his operations cycle or how many more victim organisations he may have in Ukraine or elsewhere. However, it is doubtful that these afflicted systems reflect the entire extent of the harm as reported by other firms.”

Microsoft went on to say that the malware’s goal is yet unknown, but that all Ukrainian government institutions, non-profits, and businesses should be on the alert for it.

They described the malware’s capabilities as “unusual,” saying it originally seemed to be probable Master Boot Records (MBR) Wiper activity.

The virus uses Impacket to infect a machine and overwrites the MBR with a ransom note seeking $10,000 in Bitcoin. The virus runs while a device is turned off, and Microsoft described it as “atypical” for cybercriminal ransomware to replace the MBR.

According to Microsoft’s investigation, even if a ransom letter is included, it is a fake. The virus looks for files with dozens of popular file extensions in certain folders and overwrites their contents with a set quantity of 0xCC bytes. According to Microsoft, after overwriting the contents, the destructor renames each file with an apparently random four-byte extension.

This kind of assault, according to Microsoft, is “inconsistent with cybercriminal ransomware behaviour” they’ve seen since ransomware payloads are normally tailored for each victim.

“The identical ransom payload was found at many victims in this instance. Almost all ransomware encrypts the contents of the filesystem’s files. In this situation, the virus overwrites the MBR with no way of recovering it. Explicit payment sums and cryptocurrency wallet addresses are uncommon in recent criminal ransom messages, but DEV-0586 did so “Microsoft clarified the situation.

“The identical Bitcoin wallet address was found in all DEV-0586 incursions, and the only activity at the time of research was a minor payment on January 14. Only a Tox ID, an identification for use with the Tox encrypted messaging protocol, is an uncommon communication mechanism. To make it simple for the victim to make contact, there are usually websites with support forums or several channels of communication (including email). The majority of criminal ransom letters contain a unique ID that the victim must use in all conversations with the assailants. This is a critical step in the process, since the personalised ID translates to a victim-specific decryption key on the backend of the ransomware operation. In this scenario, there is no special ID on the ransom message.”

Microsoft also said that it was working on malware detections and offered a list of security advice for firms that may have been attacked.

While Microsoft did not ascribe the behaviour to Russia, Rick Holland, CISO at Digital Shadows, told ZDNet that it isn’t a significant analytical leap to link these malicious operations to Russian objectives.

According to him, the ransomware hoax offers the threat actor a thin veneer of plausible deniability, but the true breadth of the campaign is unknown, as Microsoft points out.

“The attacker will have other options than destructive ransomware. Similar-style efforts were seen in 3rd party assaults like last year’s SolarWinds, when hostile actors remained years unnoticed on Ukrainian target networks “Holland remarked.

“This behaviour isn’t unusual; it’s part of Russian ideology. Russia wants to destabilise government and business institutions of geopolitical opponents, whether via encouraging other actors or directly conducting cyber attacks. Similar playbooks were employed in denial-of-service attacks against Estonia in 2007, cyber-attacks following the invasion of Crimea in 2014, and destructive malware used in the Petya and MeDoc assaults against Ukraine in 2017.”

The recovery procedure with damaging malware, according to Holland, is difficult and frequently depends on the security mechanisms in place before to the assault. He projected that impacted firms might take days to weeks to recover, noting that it took Saudi Aramco more than a week to recover from Shamoon in 2012 and months for organisations to recover from NotPetya.

Russia has previously used ransomware as a cover for harmful operations, according to Netenrich’s John Bambenek, who told ZDNet that Russia has used ransomware as a cover for destructive assaults in the past.

“Russia’s typical ploy is to leave just enough ambiguity to claim in public that it wasn’t them but to leave enough fingerprints so everyone in the room knows its them to project a deterrent on other countries in the region. Recovery depends on each entity but Ukraine has a long history of responding to and recovering from sabotage attacks from Russia,” Bambenek said.

“MBR and other wipers are fairly common. We haven’t seen much in recent years but the tool has always been in the tool chest when the mission is sabotage.”