Flash Notice: Microsoft Warns - Ukrainian Organizations Targeted by Destructive Malware Disguised as Ransomware

Overview

Friday, January 15, 2022, Microsoft published a report detailing their discovery of destructive malware being used to corrupt the systems of several organizations in Ukraine. Microsoft’s initial discovery of the ransomware-like malware was made on January 13, 2022. According to Microsoft, the malware was designed to look like ransomware but lacks a ransom recovery mechanism. A few days prior to this incident, over 70 Ukrainian government websites were defaced by groups that are allegedly associated with the Russian secret service. However, Microsoft stated that they have yet to find any notable links between the new malware and the website attacks.  

After the two-stage malware executes via Impacket, it overwrites the MBR (Master Boot Record) on a system and includes a $10,000 Bitcoin ransom note (stage 1). After the intended device powers down, the malware executes. Microsoft stated that it’s atypical for cybercriminal ransomware to overwrite the MBR and they believe the ransom note is a ruse. They also believe that the malware destructs MBR and the contents of the files it targets. The malware is located in various working directories (including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp) and is often named stage1.exe.  

Stage 2 (stage2.exe) of the malware is being described as a malicious file corrupter. After execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the downloaded link hardcoded in the downloader. The malware then locates files in certain directories using dozens of the most common file extensions and overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After over-writing, the destructor renames each file with a random four-byte extension.  

The destructive malware was found on dozens of impacted systems and that number may grow as Microsoft furthers their investigation. The systems impacted include multiple government, non-profit, and information technology organizations based in the Ukraine. While Microsoft doesn’t know the current stage of the threat actor’s operational cycle or other geographic locations, they don’t believe the current impacted systems represent the full scope of impact.  

Because there isn’t a ransom recovery mechanism associated with the malware attacks, Microsoft is not sure of the threat actor’s goal. The bitcoin wallet address found in the ransom note was observed across all DEV-0586 intrusions and the only activity was a small transfer on January 14, 2022. Microsoft implemented protections to detect the malware family as WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and in cloud environments. Microsoft stated that the investigation of the malware is ongoing.  

How Avertium is Protecting Our Customers:

• Avertium’s endpoint detection and response (EDR) is a platform of automated tools and capabilities that continuously monitor a system for suspicious activity within the security perimeter. EDR can be into detect mode or quarantine mode. Detect mode will fire an alert that an analyst can act upon, while quarantine mode will automatically kill processes it deems malicious on the targeted machine so it won't spread in the environment. 
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.  This service is provided as an on-demand crisis response service, as well as retainer-based program. 

Avertium's recommendations

Microsoft and Avertium recommend the following to mitigate the malware: 

• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. 
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity. 
• Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts. 
• Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification. 

INDICATOR'S OF COMPROMISE (IOCS):

Note: Avertium is working to detect more IoCs, therefore this list should not be considered exhaustive. 

• a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (stage1.exe) 
• dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (stage2.exe) 
• cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1 

references

Destructive malware targeting Ukrainian organizations - Microsoft Security Blog 

Microsoft says 'destructive malware' being used against Ukrainian organizations | ZDNet 

Related Reading:

Y2KK? Microsoft Exchange Server Breaks as we Welcome the New Year 

Contact us for more information about Avertium’s managed security service capabilities.