Ukrainian Malware Attacks: Fake Ransomware Explained

On January 13th, the Microsoft Threat Intelligence Centre (MSTIC) identified multiple cases of malware targeting organisations within the Ukraine. The Ukraine government has indicated that they have ‘evidence’ that the cyberattack was carried out by Russian nation-state actors. Russia has since stated that it has nothing to do with the attack. Regardless of who initiated the attack, it is seeming that it could prove more destructive and affect more businesses than initially expected. In this article we will discuss how the cyberattack affects systems, the indicators of compromise, how it could have been avoided, and how we can help you from avoiding a similar attack on your business.

The attack explained

What makes this attack particularly interesting, is that the malware was disguised as ransomware. In this first stage of the attack, once the malware enters a system, it overwrites the Master Boot Record with a ransom note requesting the user to pay $10,000 of Bitcoin to a specified cryptocurrency wallet, then send a message to a Tox ID in order to recover the data from the corrupted hard drive.

However, this ransom note is a ruse, and addition malware is executed when the device is powered off. The true malware destroys the Master Boot Record and its contents. This is not common behaviour for criminal ransomware as:

  1. Nearly all ransomware encrypts the contents of files and the system. This malware overwrites the Master Boot Record, making it impossible to recover the data.
  2. Ransomware payloads are typically customised for each victim
  3. It is not common for a ransomware attack to make use of a Tox ID for communication

In the second stage of the attack, Stage2.exe downloads the additional malware hosted on a Discord channel. Once the malware is executed, it will locate all files with a certain file extension and corrupt them. Some of the files that would be corrupted include ZIP files, config files, Excel Documents, Word Documents, images and website documents. This process is typically irreversible, unless the business has a comprehensive backup solution.

It is assumed that this attack was carried out by a Russian nation-state actor as part of the countries ongoing intimidation campaign against the Ukraine. Initially the organisations affected by this malware attack were government and public sector digital infrastructure, including websites. The malware also spread to other nonprofit and information technology companies. As the attack was not a true ransomware attack, it is believed that it was designed to cause unrest within the country. This attack also coincided with Russia mobilising 100,000 troops on the border of Ukraine.

What this means to your business

Thankfully, Microsoft has created and implemented detections for this malware family via Microsoft Defender Antivirus and Microsoft Defender for Endpoint for both on-premises and cloud environments. If your business has either of these solutions, it will be protected from this attack.

Attacks from nation-state actors are often highly sophisticated and difficult to detect. However, in general, business should follow the below steps to avoid falling victim to an attack:

This attack is another example of how the cybersecurity threat landscape is constantly evolving with hackers disguising attacks and launching destructive multi-stage attacks on a wide variety of businesses. This also further proves, no business is safe from being the target of such an attack, regardless of industry, geolocation or size.

How we can help you

For businesses without in-house cybersecurity expertise, it can be difficult to stay up to date with modern attacks and prevention methods. For this reason, it is often beneficial to outsource your cybersecurity requirements to a trusted third-party. Contact us to find out more about how we protect your business from attacks similar to those on organisation in Ukraine.