Malware Posing as Ransomware Responsible for Ukraine Cyberattack

Microsoft has published a more in-depth analysis of the recent Ukraine cyberattack, showing that the destructive malware is more like ransomware and follows a known pattern.

Following cyberattacks against Ukrainian government websites of the State Treasury, State Emergency Service, Cabinet of Ministers, Ministry of Foreign Affairs, Ministry of Sports, Ministry of Energy, Ministry of Education and Science and many others, security researchers identified the malware used and the method used to corrupt the systems.

Malware such as ransomware works simply. The attackers gain access to the infrastructure and deploy a tool that encrypts the data, allowing criminals to issue ultimatums and blackmails. Many ransomware families are operating in the wild at any given moment, but they all work primarily the same way.

As Microsoft discovered, the malware used in Ukraine is very similar to ransomware but with enhanced destructive capabilities. Basically, attackers were only interested in crippling the system and making data recovery impossible.

“The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1),” said Microsoft. “The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets.”

It’s unlikely that this was an actual ransomware attack for multiple reasons. For example, ransoms are sought on a case per case basis, not the same one across the board. Ransomware attacks are not designed to be this destructive and attackers don’t offer cryptocurrency wallet addresses with the ransom note. Also, the second part of the malware underlines its destructive nature.

“Stage2.exe is a downloader for a malicious file corrupter malware,” Microsoft explains. “Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Once executed in memory, the corrupter locates files in certain directories.”

A similar campaign took place in 2017, with the NotPetya ransomware variant that affected numerous countries and institutions. It followed the same recipe, with modified ransomware designed to do maximum damage.

Microsoft also published all available indicators of compromise (IOCs) so anyone can now recognize the new threat.