Microsoft says ‘destructive malware’ being used against Ukrainian firms
Microsoft said it has discovered a destructive malware being used to corrupt the systems of multiple organizations in Ukraine.
In a blog published on Saturday, Microsoft Threat Intelligence Center (MSTIC) said it first discovered the ransomware-like malware on January 13.
The news comes days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services.
However, Microsoft said it “has not found any notable associations” between the malware it found and the website attacks that occurred last week, according to reports by ZDNet.
“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft explained.
The malware attacks via Impacket and overwrites the MBR on a system with a ransom note demanding $10,000 in Bitcoin.
Once a device powers down, the malware executes, and the tech giant said it was “atypical” for cybercriminal ransomware to overwrite the MBR.
Jake Moore, Global Cyber Security Advisor at ESET: “This form of malware has been designed to wipe files while imposing a ransomware demand rather than to deploy than the usual full encryption. This is likely intended to cause as much disruption as possible, rather than the motivation being financial.”
“Geopolitical situations and state sponsored attacks often have very differently motivational factors behind them, with threat actors choosing to interfere and disturb normal work as a statement rather than to hold data for a monetary ransom. The antidote will most likely be to recover from the backup which, if in order, could take a few days.”