Ukraine: Wiper malware masquerading as ransomware hits government organizations

2022-01-17 12:10

In the wake of last week's attention-grabbing defacements of many Ukrainian government websites, Microsoft researchers have revealed evidence of a malware operation targeting multiple organizations in Ukraine, deploying what seems to be ransomware but is actually Master Boot Records wiper malware.

Late on Saturday, Microsoft shared information and IOCs related to a malware campaing targeting Ukrainian organizations.

"The organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced," the researchers noted.

"The malware resides in various working directories, including C:PerfLogs, C:ProgramData, C:, and C:temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution," they shared.

Based on the capabilities and activity of the malware, as well as the content of the ransomware note, the researchers believe that the attackers are not part of a cybercriminal ransomware gang.

While Microsoft did not make a definite connection between this activity and a previously known threat actor, the malware campaign is evocative of the 2017 NotPetya attacks against businesses and government entities in the Ukraine and around the world, which has been attributed by several Western governments to the Russian military, i.e., the Sandworm Team - hacking group that is believed to be a part of Unit 74455 of the Russian Main Intelligence Directorate.

News URL

https://www.helpnetsecurity.com/2022/01/17/ukraine-wiper-malware/

#malware #ransomware #ukraine