Researchers from Microsoft’s Threat Intelligence Center have analyzed the malware used in a large-scale attack on government agencies and institutions in Ukraine late last week. According to them, the malware should look “like ransomware” at first glance, but lacks a mechanism to recover data after a ransom is paid.
“believes the malware is intended to be destructive and aimed at rendering the targeted devices inoperable rather than extorting a ransom,” the company said.
“To date, based on Microsoft’s findings, our investigation teams have identified the malware on dozens of affected systems, and that number may increase as our investigation progresses,” the researchers said. “These systems include multiple government, non-profit, and IT organizations, all based in Ukraine. We do not know what stage the attacker’s operational cycle is at and how many other victim organizations there might be in Ukraine or other geographic locations. However, the impacted systems are unlikely to represent the full magnitude of the impacts as reported by other organizations.”
The malware runs via Impacket and overwrites the Master Boot Record (MBR) on a system with a ransom note of US$10,000 in Bitcoin. Once a device shuts down, the malware runs. According to Microsoft, it is “untypical” for cybercriminal ransomware to overwrite the MBR.
Even if a ransom note is attached, Microsoft says it’s just a ruse. The malware finds files in specific directories with dozens of the most common file extensions and overwrites the content with a fixed number of 0xCC bytes. After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension.
Microsoft emphasized that the attackers’ actions were atypical for cyber extortionists. “In this case, the malware overwrites the MBR without any recovery mechanism.”