Malware Operation Not Yet Linked to Any Known Threat Actor
On January 13th, a major cyber incident pushed several Ukrainian government websites offline. This included Ukraine’s foreign ministry and education ministry. Now, Microsoft says that the affected systems “span multiple government, non-profit, and information technology organizations” in the country. MSTIC’s investigation is ongoing. As of now, it has not found notable associations between the attack and any previously known threat groups. MSTIC is tracking the attack as DEV-0586. Such designations, i.e, DEV-####, are temporary names that Microsoft gives to unknown or emerging threat activity. “We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations,” Microsoft said. “However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”
Microsoft Says Discovered Operation is Unlike Other Criminal Ransomware Activity
MSTIC goes into detail about how the malware operates and why it believes it is unique. The malware overwrites its victim’s Master Boot Record (part of the hard drive which instructs the computer to load the operating system) with a ransom note. This note contains a bitcoin wallet address, and a unique Tox user ID. MSTIC said it has not previously observed this type of activity. Furthermore, it said that the ransom note is simply a ruse, and the malware destroys the Master Boot Record and all its contents. MSTIC provided more reasons for why this attack is unusual:
Most ransomware payloads are customised for each victim. Here, MSTIC found the same payload at multiple compromised locations. Ransomware encrypts a victim’s data on the filesystem. However, the malware overwrites the Master Boot Record, without the possibility of recovering the data. Modern criminal ransom notes do not normally contain explicit payment amounts and cryptocurrency wallet addresses. It is also unusual for the only mode of contact to be a Tox ID. Usually, cybercriminals offer more ways for organizations to contact them, like email. Most ransom notes usually contain a custom ID. Cybercriminals instruct victims to communicate though this ID, which ultimately leads to the sharing of a victim-specific decryption key. However, the ransom note here did not contain a custom ID.
MSTIC has strongly encouraged all organizations to carry out a comprehensive investigation and to implement protective measures using the information in its blog post. If this story piqued your interest, and you want to learn more about threats online and how you can protect yourself, check out our detailed resource on ransomware.
