Destructive Malware That Hit Ukraine Can Target U.S. And U.K. Organizations, Warns Microsoft


Microsoft rang alarm bells last week about the threat from Disk Wiper, a malware that poses as ransomware but deletes all files from targeted systems forever. The malware uses Impacket to corrupt systems and overwrites the master boot record with a ransom note seeking $10,000 in Bitcoin. 

Last week, Microsoft’s threat intelligence team released its analysis of a vindictive malware attack targeting several organizations in Ukraine. The spyware, known as Disk Wiper, was directed at government and private computer systems in the country and rendered them “inoperable,” posing a great danger to the country, said Microsoft in a postOpens a new window .

Although the “ransomware” – which was possibly a different kind of malware – targeted businesses in Ukraine, Microsoft acknowledges that there may be unnamed victims in “other geographical places,” including the U.S. and the UK.

According to Ukraine’s cyber police, the cyberattack on government systems appears to have ruined “external information resources, implying that the attack extended beyond momentarily defacing official websites.” The hack targeted roughly 70 government websites, including the Security and Defense Council, the Cabinet of Ministers, and many other ministries.

Besides, the attackers manually deleted several external information resources, the cyber police added, without specifying what these resources were.

“Be Afraid and Expect the Worst”

The unknown hackers, who vandalized multiple Ukrainian government websites, left a cryptic warning to Ukrainian nationals who tried to access the affected services. “All data on the computer is being annihilated; it is impossible to retrieve it,” stated a notice written in Ukrainian, Russian, and Polish that appeared late last week on at least some of the infected computers. “Be afraid and expect the worst since every information about you has gone public.”

Microsoft’s Warning

The virus first emerged on targeted computers in Ukraine on January 13. Dubbed as Whispergate by Microsoft, it posed as ransomware and extorted $10,000 in bitcoin in exchange for data restoration.

Whispergate cannot transmit decryption keys and give technical help to victims, which are features shared by practically all functioning ransomware in the world. Even when a system is turned off, the malware continues to operate. Microsoft described it as “atypical” for cybercriminal ransomware to overwrite the MBR.

“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” the company said.

See More: Joker Malware Marks Another Return to the Play Store, Infects 500K Android Devices

Given the scale of the observed intrusions, MSTIC (Microsoft Threat Intelligence Center) could not assess the intent of the identified destructive actions but warned that these actions represented an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. 

“We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post,” added MSTIC.

“The organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced,” said Tom Burt, corporate VP of security and trust at Microsoft, in a corporate blog postOpens a new window .

Burt added, “We have already built and deployed protections for this malware into Microsoft 365 Defender Endpoint Detection (EDR) and Anti-virus (AV) protections wherever these products are deployed, both on-premises and in the cloud. We see no indication so far that these attacks utilize any vulnerability in Microsoft products and services.”

See More: Log4j Flaw: Top 10 Affected Vendors and Best Solutions to Mitigate Exploitations

Who’s behind the Attacks?

According to preliminary results from a combined investigation by numerous Ukrainian state agencies, a threat actor group identified as UNC1151 was likely behind the defacement hack, according to Serhiy Demedyuk, deputy chairman of Ukraine’s National Security and Defense Council. Security company Mandiant has connectedOpens a new window the attack to the Ghostwriter influence effort.

“This is a cyberespionage group affiliated with the special services of the Republic of Belarus,” Demedyuk told Reuters. “The group specializes in cyberespionage, which is associated with the Russian special services and which, for its attacks, resorts to recruiting or undercover work of its insiders in the right company,” he said.

UNC1151 was accused of being behind an operation to steal official credentials and disseminate disinformation throughout Europe, according to a reportOpens a new window issued in November by Mandiant. The private security company also stated that it has “moderate confidence” in Belarus being “at least partially responsible” for the Ghostwriter campaign.

“Russian contributions to UNC1151 or Ghostwriter cannot be ruled out,” Mandiant added.


Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!