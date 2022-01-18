Microsoft has reported that Ukrainian organizations are being targeted by malware masquerading as ransomware, though when victims pay ransoms cannot recover the data.

The report is based on information collected by the Microsoft Threat Intelligence Center (MSTIC), the Digital Security Unit (DSU), the Microsoft Detection and Response Team (DART), and the Microsoft 365 Defender Threat Intelligence Team. . “Our research teams have identified the malware on dozens of impacted systems and that number could grow as our research continues.

These systems span multiple government, nonprofit, and information technology organizations, all of which are based in Ukraine,” the company explained in a blog post.

Ransomware: what it is, how it infects and how to protect yourself

How does this malware work?





Microsoft is tracking these attacks as DEV-0586. The “DEV” designation indicates that it is “a temporary name given to unknown, emerging, or developing threat activity.” DEV-0586 malware is said to work in two stages. The first stage of the malware overwrites the Master Boot Record, which Microsoft describes it as “the part of a hard drive that tells the computer how to load its operating system”, with the following ransom note:

Your hard drive has been corrupted. In case you want to recover all the hard drives of your organization, you must pay us 10 thousand dollars through the bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send the message through tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057C057 We will contact you with further instructions.

Microsoft says that the malware runs when the associated device is turned off. “Overwriting the MBR is atypical for ransomware from cybercriminals. Actually, the ransomware note is a ruse and that the malware destroys the MBR and the contents of the files it targets.”

Microsoft has explained that the second stage of the malware downloads what “can be described as a malicious file corrupter” from a Discord channel controlled by the attacker. This malicious file corrupter looks for common file extensions “in certain system directories” and overwrites the contents of those files before renaming them “with a seemingly random four-byte extension.”

The company is still analyzing the file corrupter, but has already updated Microsoft Defender Antivirus and Microsoft Defender for Endpoint to detect this malware family, which you are following as “WhisperGate.

Microsoft has advised companies to enable multi-factor authentication for accounts that can be used to remotely access their infrastructure. Microsoft Defender for Endpoint users can also use the controlled folder access feature to “prevent modification of the MBR/[Volume boot record]”.

A critical moment in Ukraine that could be key in Europe





We are living through a key moment in Europe: a conflict is brewing in Ukraine and there are those who are talking about we are now closer to a war on our continent than ever before in decades. Bad relations between Russia and Ukraine have influence at the international level.

The massive attacks on computer equipment in Ukraine could be related to this serious problem. In fact, three days ago Ukrainian government websites were altered in the midst of this Russian invasion threat and it is believed that personal information of local citizens has been leaked. A group of hackers disabled several Ukrainian government websites with threats, including the words “be afraid and expect the worst”.

The hackers changed the home pages of the Ukrainian Ministry of Foreign Affairs, the Ministry of Education and Science, and other key pages with a banner warning local citizens that their personal data had been leaked. “Ukrainians! TAll your personal data has been uploaded to the public network“said the message, which was written in Russian, Ukrainian and Polish.