2 min read

Malware Posing as Ransomware Responsible for Ukraine Cyberattack

Silviu STAHIE

January 17, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Malware Posing as Ransomware Responsible for Ukraine Cyberattack

Microsoft has published a more in-depth analysis of the recent Ukraine cyberattack, showing that the destructive malware is more like ransomware and follows a known pattern.

Following cyberattacks against Ukrainian government websites of the State Treasury, State Emergency Service, Cabinet of Ministers, Ministry of Foreign Affairs, Ministry of Sports, Ministry of Energy, Ministry of Education and Science and many others, security researchers identified the malware used and the method used to corrupt the systems.

Malware such as ransomware works simply. The attackers gain access to the infrastructure and deploy a tool that encrypts the data, allowing criminals to issue ultimatums and blackmails. Many ransomware families are operating in the wild at any given moment, but they all work primarily the same way.

As Microsoft discovered, the malware used in Ukraine is very similar to ransomware but with enhanced destructive capabilities. Basically, attackers were only interested in crippling the system and making data recovery impossible.

“The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1),” said Microsoft. “The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets.”

It’s unlikely that this was an actual ransomware attack for multiple reasons. For example, ransoms are sought on a case per case basis, not the same one across the board. Ransomware attacks are not designed to be this destructive and attackers don’t offer cryptocurrency wallet addresses with the ransom note. Also, the second part of the malware underlines its destructive nature.

“Stage2.exe is a downloader for a malicious file corrupter malware,” Microsoft explains. “Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Once executed in memory, the corrupter locates files in certain directories.”

A similar campaign took place in 2017, with the NotPetya ransomware variant that affected numerous countries and institutions. It followed the same recipe, with modified ransomware designed to do maximum damage.

Microsoft also published all available indicators of compromise (IOCs) so anyone can now recognize the new threat.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Researchers Find Thousands of Websites that Record Everything You Type Researchers Find Thousands of Websites that Record Everything You Type
Radu CRAHMALIUC

May 16, 2022

2 min read
Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read