Data Backup Digest

Microsoft has recently reported on a new, highly destructive malware assault that is currently targeting various organizations throughout Ukraine. While malware is nothing new, even for large organizations in Ukraine, the recent attacks are thought to be spurred on by recent political events in the area.

Looking at the Malware

This particular strain of malware is designed to cause as much confusion and destruction as possible. Currently dubbed DEV-0586, it has yet to be linked to any specific hacking group. Although the malware is designed to mimic ransomware, this particular strain actually lacks any true unlocking or recovery mechanism.

Instead, it’s purposefully designed to lock users out of their systems – for good. To make matters worse, the software then requests a ransom – without any intentions of ever restoring the victim’s system. Not only does it have the potential of disrupting service and day-to-day operations on behalf of these organizations, but it’s also targeting them where it hurts the most – in the wallet.

A recent Microsoft blog post stated, in part: “Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit and information technology organizations, all based in Ukraine.”

The team with the Microsoft Threat Intelligence Center, or MSTIC, first became aware of the threat on January 13, 2022. Microsoft’s team has already identified dozens of infected systems, but that number is expected to increase. A representative was quick to point out that it isn’t clear if other potential victims exist in other locations around the globe.

Per the research, MSTIC was able to determine that the DEV-0586 malware self-executes when an infected device is powered down. With that in mind, it’s easy to see how some dormant systems could already be infected without anyone knowing. Once these systems are booted back up, however, the damage will become evident.

It starts by overwriting the system’s Master Boot Record (MBR), which enables its fraudulent ransom note. However, this is just a ruse to take the user’s attention away from the real problem. Next, the app downloads another piece of malware, this time a mass file corrupter, which begins the real attack.

The file corrupter targets files with many popular extensions, including popular digital image formats, archives, databases, and more. As such, it’s able to infect a large amount of files in a very short amount of time. When infected, the file corrupter overwrites the contents of each file on an individual basis, thus making it inaccessible to the user.

A Possible Culprit

While it’s not clear who is responsible for the recent attacks, some security experts in Ukraine place the blame squarely on Russian intelligence services. Representatives with Moscow have denied any involvement in the attack.

But this isn’t the first time that Russian intelligence is taking the blame for cyber warfare. The government was blamed for the NotPetya ransomware assault of 2017, which resulted in damage exceeding $10 billion in Ukraine. That attack was specifically focused on governmental entities, financial services, and energy providers.