Microsoft: Ukrainian Companies Are Being Targeted by Destructive Malware

Microsoft reports that Ukrainian organizations are being targeted by malware that masquerades as ransomware but lacks the ability to recover data even if victims decide to pay the attackers.

The report is based on information gathered by the Microsoft Threat Intelligence Center (MSTIC), Digital Security Unit (DSU), Detection and Response Team (DART), and Microsoft 365 Defender Threat Intelligence Team. (Which has no acronym, for obvious reasons.) Microsoft says its many teams "are working to create and implement detections for this activity."

"At present and based on Microsoft visibility," the company says in a blog post about its findings, "our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine."

Microsoft is currently tracking these attacks as DEV-0586. The "DEV" designation indicates that this is "a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity," the company explains.

The malware from DEV-0586 is said to operate in two stages. The first stage of the malware overwrites the Master Boot Record, which Microsoft describes as "the part of a hard drive that tells the computer how to load its operating system," with the following ransom note:

Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via

tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with your organization name.

We will contact you to give further instructions.

"The malware executes when the associated device is powered down," Microsoft says. "Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets."

Microsoft says the malware's second stage downloads what "can best be described as a malicious file corrupter" from an attacker-controlled Discord channel. That malicious file corrupter searches for common file extensions "in certain directories on the system" and overwrites those files' contents before renaming them "with a seemingly random four-byte extension."

Recommended by Our Editors

Ukrainian Government Websites Defaced Amid Threat of Russian Invasion

Microsoft: State-Sponsored Hackers Are Exploiting Log4j Vulnerability

US Moves to Extradite Ukrainian for REvil Ransomware Attack on IT Provider Kaseya

The company is still analyzing the file corrupter, but it's already updated Microsoft Defender Antivirus and Microsoft Defender for Endpoint to detect this malware family, which it's tracking as "WhisperGate." It's also "continuing the investigation and will share significant updates with affected customers, as well as public and private sector partners," as it learns more.

In the meantime, Microsoft has advised companies to enable multi-factor authentication for accounts that can be used to remotely access their infrastructure. Microsoft Defender for Endpoint users can also use the Controlled Folder Access feature to "prevent MBR/[Volume boot record] modification." More information is available via the company's blog post.

"Given the scale of the observed intrusions," the company says, "MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post."