Microsoft rang alarm bells last week about the threat from Disk Wiper, a malware that poses as ransomware but deletes all files from targeted systems forever. The malware uses Impacket to corrupt systems and overwrites the master boot record with a ransom note seeking $10,000 in Bitcoin.Â
Last week, Microsoft’s threat intelligence team released its analysis of a vindictive malware attack targeting several organizations in Ukraine. The spyware, known as Disk Wiper, was directed at government and private computer systems in the country and rendered them â€œinoperable,â€ posing a great danger to the country, said Microsoft in a postOpens a new window .
Although the â€œransomwareâ€ â€“ which was possibly a different kind of malware â€“ targeted businesses in Ukraine, Microsoft acknowledges that there may be unnamed victims in â€œother geographical places,â€ including the U.S. and the UK.
According to Ukraine’s cyber police, the cyberattack on government systems appears to have ruined â€œexternal information resources, implying that the attack extended beyond momentarily defacing official websites.â€ The hack targeted roughly 70 government websites, including the Security and Defense Council, the Cabinet of Ministers, and many other ministries.
Besides, the attackers manually deleted several external information resources, the cyber police added, without specifying what these resources were.
â€œBe Afraid and Expect the Worstâ€
The unknown hackers, who vandalized multiple Ukrainian government websites, left a cryptic warning to Ukrainian nationals who tried to access the affected services. â€œAll data on the computer is being annihilated; it is impossible to retrieve it,â€ stated a notice written in Ukrainian, Russian, and Polish that appeared late last week on at least some of the infected computers. â€œBe afraid and expect the worst since every information about you has gone public.â€
The virus first emerged on targeted computers in Ukraine on January 13. Dubbed as Whispergate by Microsoft, it posed as ransomware and extorted $10,000 in bitcoin in exchange for data restoration.
Whispergate cannot transmit decryption keys and give technical help to victims, which are features shared by practically all functioning ransomware in the world. Even when a system is turned off, the malware continues to operate. Microsoft described it as â€œatypicalâ€ for cybercriminal ransomware to overwrite the MBR.
â€œMSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,â€ the company said.
Given the scale of the observed intrusions, MSTIC (Microsoft Threat Intelligence Center) could not assess the intent of the identified destructive actions but warned that these actions represented an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine.Â
â€œWe strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post,â€ added MSTIC.
â€œThe organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced,â€ said Tom Burt, corporate VP of security and trust at Microsoft, in a corporate blog postOpens a new window .
Burt added, â€œWe have already built and deployed protections for this malware into Microsoft 365 Defender Endpoint Detection (EDR) and Anti-virus (AV) protections wherever these products are deployed, both on-premises and in the cloud. We see no indication so far that these attacks utilize any vulnerability in Microsoft products and services.â€
Who’s behind the Attacks?
According to preliminary results from a combined investigation by numerous Ukrainian state agencies, a threat actor group identified as UNC1151 was likely behind the defacement hack, according to Serhiy Demedyuk, deputy chairman of Ukraine’s National Security and Defense Council. Security company Mandiant has connectedOpens a new window the attack to the Ghostwriter influence effort.
â€œThis is a cyberespionage group affiliated with the special services of the Republic of Belarus,â€ Demedyuk told Reuters. â€œThe group specializes in cyberespionage, which is associated with the Russian special services and which, for its attacks, resorts to recruiting or undercover work of its insiders in the right company,â€ he said.
UNC1151 was accused of being behind an operation to steal official credentials and disseminate disinformation throughout Europe, according to a reportOpens a new window issued in November by Mandiant. The private security company also stated that it has â€œmoderate confidenceâ€ in Belarus being â€œat least partially responsibleâ€ for the Ghostwriter campaign.
â€œRussian contributions to UNC1151 or Ghostwriter cannot be ruled out,â€ Mandiant added.
MORE ON CYBER THREATS