Microsoft identified a destructive data wiper malware attack, targeting several sectors of Ukraine such as NGOs, IT providers, and government-owned organisations.
According to Microsoft, the threat actors launched the data wiper malware that may function as ransomware. The malware’s identification immediately follows the mutilation it caused to several Ukrainian websites.
The malware campaign started in the early weeks of January 2022 – approximately the same time when over 70 government websites were damaged by threat actors affiliated with the Russian secret services. However, Microsoft has not identified any affiliation between the current data wiping malware and the websites’ fierce onslaughts.
The websites hijacked by the threat actors include the Ukrainian Ministry of Education & Science, Ministry of Foreign Affairs, and more. The threat actors also posted exasperating messages on the main pages of the hacked websites.
Luckily, a researcher said that the hackers did not alter the contents and details of the websites, and no exposure of personal data happened.
The hackers also took advantage of the vulnerability tracked as CVE-2021-32648 in October of last year to reset passwords of admin accounts.
The data wiper malware belongs to the WhisperGate strain and is developed by its operators to appear as ransomware but misses a ransom recovery operation.
Microsoft has discovered it on several systems, but they also believe that the threat actors have distributed it globally. They also added that a two-stage wiper overwrites the Master Boot Record (MBR) on target systems with a ransom message containing a Tox ID and Bitcoin wallet.
Furthermore, the second stage malware is held on a Discord channel and can identify specific file extensions, overwrite the data, and rename the file with a four-byte extension.
The utilisation of data wiper malware implies that the hackers are not seeking monetary gain; instead, they aim to hinder their target’s everyday routine. Moreover, overwriting the MBR surrenders the system unbootable – making data recovery stressful for organisations. Researchers believe that the ransom note is a decoy from the hackers’ true objectives.
Cybersecurity solutions should work hard on building and implementing detections for data wiping attacks. Fortunately, Microsoft has provided some mitigations to deal with the strategy utilised by the malicious threat actors; and one of them includes using indicators of compromise (IOCs) to identify and locate if a system is infiltrated and reviewing all authentication practices for any unwanted remote access activity.