Microsoft issued a warning detailing attacks on multiple Ukraine-based organizations using destructive data-wiping malware disguised as fake ransomware. The technology company discovered new attacks combining a destructive MBRLocker with data-corrupting malware to intentionally destroy victim data.
The new malware family called “WhisperGate” conducts a two-stage attack through two different destructive malware components. The first component called stage1.exe is launched from the C:\PerfLogs, C:\ProgramData, C:\, or C:\temp folders that overwrite the Master Boot Record to display a ransom note. The MBRLocker program replaces the “master boot record” located on the computer’s hard drive containing information on disk partitions and a small executable used to load the operating system. MBRLocker replaces the loader in the master boot record with a program to encrypt partition table and display a ransom note. The program prevents operating systems from loading and data from being accessed until the victim has paid the ransom and a decryption key is obtained.
The ransom notes from “WhisperGate” instructs victims to send $10,000 in bitcoin to the “1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv” address and then contact the threat actors through Tox chat ID. Even though Microsoft notes that using Tox indicates the ransomware may be fake, there are numerous ransomware operations that commonly use Tox as a communication method. However, the MBRLocker’s ransom notes are using the same Bitcoin address for all victims and provide no method of inputting a decryption key. Furthermore, files are overwritten with static, undecryptable data. The combination is an indication that the fake ransomware was designed for destructive purposes not financial gain.
The second component, “stage2.exe”, is executed to download a data-destroying malware called “Tbopbh.jp”, which overwrites targeted files with static data. The corrupter will overwrite files containing one of the extensions along with the contents of the file with a fixed number of oxCC bytes (total file size of 1MB). The destructor renames each file with a seemingly random four-byte extension after overwriting the contents. The file extensions targeted by the stage 2 component for corruption are the following:
.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP
The two malware components don’t offer any means of entering decryption keys to restore the original Master Boot Record. Microsoft is unable to determine any specific threat actor responsible for the attacks and is tracking the hacker’s activities as DEV-0586. With tensions rising between Russia and Ukraine, it’s possible that the attacks are designed to create chaos in Ukraine. In 2017, thousands of Ukrainian companies were targeted by the NotPetya ransomware utilizing a similar attack. Even though the NotPetya was based on real “Petya” ransomware, the NotPetya attacks on Ukraine were launched as a cyberweapon rather than payment generator. The United States formally indicated Russian GRU threat actors who were believed to be part of “Sandworm”, an elite Russian threat group responsible for the NotPeyta attacks.
Fifteen Ukrainian public institutions and government websites were hacked, defaced, and taken offline. Threat actors defaced the websites with a message warning visitors that their data was stolen and shared publicly online. The message reads, “Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya and for historical lands.” Threat actors create new accounts on the popular RaidForums hacking forum releasing the allegedly stolen data as part of their intimidation campaign.
However, the threat actors reviewed the published data and indicated that it’s not related to Ukrainian government agencies and contains data from an old leak. Ukraine connects the attacks to Russia with the intention to undermine the Ukrainian government’s confidence. The Ukraine government explains that the Russian cyber troops are working against the United States and Ukraine using technology to shake up the political situation. The manifestations of Russia’s hybrid war against Ukraine can be attributed to the latest cyberattack which has been going on since 2014. Russia’s goal is to intimidate the Ukrainian society, stopping the public work sector to destabilize the situation in Ukraine, and undermine the Ukrainian government’s confidence. Russia can achieve its goal by throwing fake information about the vulnerability of critical information infrastructure and draining Ukrainians’ personal data.
With recent innovations using destructive data-wiping malware disguised as ransomware, any ransomware group can utilize this tactic to cause serious damage to a company’s data network or any government agency in the world. It’s now more crucial for companies and government agencies to remain alert of the current threat landscape and always update their network’s security posture to prevent potential threats. At SpearTip, we are the trusted provider of breach coaches everywhere. Our certified engineers at our 24/7 Security Operations Centers specialize in incident response capabilities and handling breaches with one of the fastest response times in the industry. Our ShadowSpear Platform is an unparalleled resource with endpoint detection and response capabilities that prevent cyber threats like malware disguised as fake ransomware from impacting companies and government agencies.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.