Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.
The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.
Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.
The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.
Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.
The malware corrupts files, rewrites MBR, hides as ransomware
The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.
In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.
“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.
.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP
At the time of writing, the attackers’ Bitcoin address only contains one payment of $5, even if the ransom request is for $10,000.
No formal attribution just yet
