Microsoft: Ukrainian Companies Are Being Targeted by Destructive Malware

pcmag.com:

Microsoft reports that Ukrainian organizations are being targeted by malware that masquerades as ransomware but lacks the ability to recover data even if victims decide to pay the attackers.

The report is based on information gathered by the Microsoft Threat Intelligence Center (MSTIC), Digital Security Unit (DSU), Detection and Response Team (DART), and Microsoft 365 Defender Threat Intelligence Team. (Which has no acronym, for obvious reasons.) Microsoft says its many teams "are working to create and implement detections for this activity."

"At present and based on Microsoft visibility," the company says in a blog post about its findings, "our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine."

Microsoft is currently tracking these attacks as DEV-0586. The "DEV" designation indicates that this is "a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity," the company explains.

The malware from DEV-0586 is said to operate in two stages. The first stage of the malware overwrites the Master Boot Record, which Microsoft describes as "the part of a hard drive that tells the computer how to load its operating system," with the following ransom note:

Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message