Microsoft says ‘destructive malware’ being used against Ukrainian organizations

Microsoft said it has discovered a destructive malware being used to corrupt the systems of multiple organizations in Ukraine. In a blog published on Saturday, Microsoft Threat Intelligence Center (MSTIC) said it first discovered the ransomware-like malware on January 13. 

The news comes days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. But Microsoft said it “has not found any notable associations” between the malware it found and the website attacks that occurred last week. 

“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft explained. 

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Microsoft added that it is still unclear what the purpose of the malware is but said all Ukrainian government agencies, non-profits and companies should be on the lookout for it. 

They said it initially appeared to be possible Master Boot Records (MBR) Wiper activity and called the malware’s capabilities “unique.”

The malware executes via Impacket and overwrites the MBR on a system with a ransom note demanding $10,000 in Bitcoin. Once a device powers down, the malware executes, and Microsoft said it was “atypical” for cybercriminal ransomware to overwrite the MBR. 

Even though a ransom note is included, it is a ruse, according to Microsoft’s analysis. The malware locates files in certain directories with dozens of the most common file extensions and overwrites the contents with a fixed number of 0xCC bytes. After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension, Microsoft explained. 

Microsoft said this kind of attack is “inconsistent with cybercriminal ransomware activity” they have observed because typically, ransomware payloads are customized for each victim. 

“In this case, the same ransom payload was observed at multiple victims. Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery. Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586,” Microsoft explained.

“The same Bitcoin wallet address has been observed across all DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14. It is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple methods of contact (including email) to make it easy for the victim to successfully make contact. Most criminal ransom notes include a custom ID that a victim is instructed to send in their communications to the attackers. This is an important part of the process where the custom ID maps on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.”

Microsoft added that it was in the process of creating detections for the malware and provided a slate of security recommendations for organizations that may have been targeted. 

Rick Holland, CISO at Digital Shadows, told ZDNet that while Microsoft doesn’t attribute the activity to Russia, it isn’t a substantial analytical stretch to associate these malicious actions with Russian interests. 

The ransomware ruse, he said, gives the threat actor a thin veneer of plausible deniability but as Microsoft states, the full scope of the campaign isn’t clear. 

“Destructive ransomware won’t be the only option available to the attacker. If you look back at 3rd party attacks like last year’s SolarWinds, you could see similar-style campaigns where malicious actors have spent years undetected on Ukrainian victim networks,” Holland said.

“This activity isn’t unprecedented; it is a part of Russian doctrine. Whether Russia encourages other actors or directs cyber operations themselves, Russia seeks to disrupt government and private institutions of their geopolitical opponents. We have seen similar playbooks in the 2007 denial of service attacks against Estonia, the cyber-attacks during the 2014 Crimea annexation, and the destructive malware used in the Petya and MeDoc attacks against Ukraine in 2017.”

Holland noted that the recovery process with destructive malware is challenging and can often depend on the security controls that were in place before the attack. He estimated it could take days to weeks for affected organizations to recover, explaining that it took more than a week for Saudi Aramco to recover from Shamoon in 2012 and months for organizations to recover from NotPetya. 

Netenrich’s John Bambenek echoed Holland’s remarks, telling ZDNet that Russia has previously used ransomware as a cover for destructive attacks in the past. 

“Russia’s typical ploy is to leave just enough ambiguity to claim in public that it wasn’t them but to leave enough fingerprints so everyone in the room knows its them to project a deterrent on other countries in the region. Recovery depends on each entity but Ukraine has a long history of responding to and recovering from sabotage attacks from Russia,” Bambenek said. 

“MBR and other wipers are fairly common. We haven’t seen much in recent years but the tool has always been in the tool chest when the mission is sabotage.”