CISA Releases Warning of Destructive Malware Targeting Ukrainian Organizations

Kellen Dwyer, Kimberly Kiefer Peretti, Lance Taubin
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

On January 16, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a warning regarding destructive malware targeting Ukrainian organizations, including Ukrainian government agencies. The malware was found in multiple government, non-profit, and information technology organizations, all based in Ukraine. CISA’s warning comes on the heels of a separate targeted attack against Ukraine on January 14, 2022, where the threat actor(s) left the troubling message – “Be afraid and expect the worst” – on the Foreign Ministry of Ukraine’s website. The Ukraine’s Ministry of Digital Transformation addressed the cyberattack and, while attribution for the attack has not been confirmed at this time, the Ukrainian government suspects that such hack was part of Russia’s ongoing state-sponsored cyberattack against Ukraine.

According to a Microsoft blog post cited by CISA, this current malware resembles a ransomware attack, but is unique in that the threat actor(s) appears more interested in destruction, as opposed to compensation. The malware first overwrites the Master Boot Record (MBR), which is the portion of a computer’s hard drive that identifies how to load its operating system, with a ransom note. The ransom note asks for a payment of $10,000 to a Bitcoin wallet to recover the infected hard drive. The ransom note, however, appears to be a “ruse,” as the malware destroys the MBR along with any targeted files, as opposed to encrypting the contents of the files on the filesystem (which is standard in ransomware attacks). The malware lacks any recovery mechanism; once the malware is activated on an infected computer, which is done so by powering down the device, the hard drive is overwritten and the computer is practically inoperable.  Such irreversible and destructive features are more consistent with state-sponsored actors seeking to undermine an enemy’s capabilities and/or sow chaos, than with a non-state criminal actor seeking a ransom payment.  Analysis of the malware is ongoing and we can expect further details and guidance from CISA in the coming days and weeks.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide