Microsoft: Ukrainian companies are targeted by destructive malware

Microsoft reports that Ukrainian organizations are being targeted by malware that masquerades as ransomware but lacks the ability to recover data even if victims decide to pay attackers.

The report is based on information collected by Microsoft Threat Intelligence Center (MSTIC), Digital Security Unit (DSU), Detection and Response Team (DART), and Microsoft 365 Defender Threat Intelligence Team. (Which doesn’t have an acronym, for obvious reasons.) Microsoft says its many teams are “working to create and implement detections for this activity.”

“At this time and based on Microsoft’s visibility,” the company says in a blog post of its findings, “our investigation teams have identified the malware on dozens of affected systems and that number could increase as our investigation continues. These systems span multiple governments, non-profit organizations and information technology, all based in Ukraine.”

Microsoft is currently tracking these attacks as DEV-0586. The designation “DEV” indicates that it is “a temporary name given to an unknown, emerging or developing threat activity, allowing MSTIC to track it as a unique set of information until we achieve a high level of confidence in the origin or identity of the actor behind the activity,” the company explains.

The DEV-0586 malware is said to work in two stages. The first stage of the malware overwrites the Master Boot Record, which Microsoft describes as “the part of a hard drive that tells the computer how to load its operating system”, with the following ransom note:

Your hard drive has been corrupted.

If you want to recover all hard drives

of your organization,

You should pay us $10,000 via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send a message via

Toxic ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with the name of your organization.

We will contact you with further instructions.

“The malware runs when the associated device is turned off,” Microsoft explains. “Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a trick and the malware destroys the MBR and the contents of the files it targets.”

Microsoft claims that the second stage of the malware downloads what “may be described as a malicious file corrupter” from an attacker-controlled Discord channel. This malicious file corrupter looks for common file extensions “in certain system directories” and overwrites the contents of those files before renaming them “with a seemingly random four-byte extension”.

The company is still analyzing the corrupting file, but it has already updated Microsoft Defender Antivirus and Microsoft Defender for Endpoint to detect this malware family, which it tracks as “WhisperGate”. It is also “continuing the investigation and will share important updates with affected customers, as well as public and private sector partners,” as it learns more.

In the meantime, Microsoft has advised companies to enable multi-factor authentication for accounts that can be used to access their infrastructure remotely. Microsoft Defender for Endpoint users can also use the Controlled Folder Access feature to “Prevent MBR/[Volume boot record] modification.” More information is available via the company’s blog.

“Given the scale of the intrusions observed,” the company states, “MSTIC is unable to assess the intent of the identified destructive actions, but believes that these actions represent a high risk to any government agency, at nonprofit or business located or with systems in Ukraine.We strongly encourage all organizations to immediately conduct a thorough investigation and put in place defenses using the information provided in this message.