On January 16, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a warning regarding destructive malware targeting Ukrainian organizations, including Ukrainian government agencies. The malware was found in multiple government, non-profit, and information technology organizations, all based in Ukraine. CISA’s warning comes on the heels of a separate targeted attack against Ukraine on January 14, 2022, where the threat actor(s) left the troubling message – “Be afraid and expect the worst” – on the Foreign Ministry of Ukraine’s website. The Ukraine’s Ministry of Digital Transformation addressed the cyberattack and, while attribution for the attack has not been confirmed at this time, the Ukrainian government suspects that such hack was part of Russia’s ongoing state-sponsored cyberattack against Ukraine.
According to a Microsoft blog post cited by CISA, this current malware resembles a ransomware attack, but is unique in that the threat actor(s) appears more interested in destruction, as opposed to compensation. The malware first overwrites the Master Boot Record (MBR), which is the portion of a computer’s hard drive that identifies how to load its operating system, with a ransom note. The ransom note asks for a payment of $10,000 to a Bitcoin wallet to recover the infected hard drive. The ransom note, however, appears to be a “ruse,” as the malware destroys the MBR along with any targeted files, as opposed to encrypting the contents of the files on the filesystem (which is standard in ransomware attacks). The malware lacks any recovery mechanism; once the malware is activated on an infected computer, which is done so by powering down the device, the hard drive is overwritten and the computer is practically inoperable. Such irreversible and destructive features are more consistent with state-sponsored actors seeking to undermine an enemy’s capabilities and/or sow chaos, than with a non-state criminal actor seeking a ransom payment. Analysis of the malware is ongoing and we can expect further details and guidance from CISA in the coming days and weeks.