Amid the escalating geopolitical conflict between Russia and Ukraine, multiple Ukrainian organizations have fallen victim to a destructive “wiper” malware operation that damages a system’s master boot record (MBR) and destroys the contents of targeted files. These attacks are ongoing, and organizations without a Ukrainian presence should also be prepared as the situation develops.
Threat Advisory Technical Detail & Additional Information
What is the threat?
In January, a destructive “wiper” malware, which destroys impacted systems’ content with no possibility of recovery, was found on the devices of multiple major organizations in Ukraine. The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In observed attacks, the malware was executed via Impacket, a publicly available collection of tools often used by threat actors for lateral movement and unauthorized execution. The Stage1 executable overwrites the MBR, the part of a hard drive that tells a computer how to load its operating system, with a ransom note that executes when the device is powered down. In reality, the ransom note is a ruse as the next stage of the attack irreversibly destructs the contents of the targeted files. When executed, the stage2 executable file downloads a malicious file corrupter that, once executed in memory, locates files in certain directories on the victim system, overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB), and renames each file with a seemingly random four-byte extension.
What is noteworthy?
While these attacks have only targeted organizations in Ukraine so far, other nations could be impacted as the global conflict continues to develop. The Russian government, the alleged perpetrator behind these attacks, could feasibly turn its attention to other nations that it considers a challenge to its geopolitical goals, such as the US, Canada, and UK. The first round of wiper malware targeting Ukrainian organizations was identified in January, and a second round was identified on February 23rd, demonstrating that these attacks are ongoing. When successful, these attacks can cause widespread damage to an organization as they can destroy large amounts of critical data with no possibility of recovery.
What is the exposure risk?
Organizations with a presence in Ukraine should be on high alert as immediate potential targets of this malware. Organizations outside of Ukraine that are based in nations considered adversarial by the Russian government, including the US, Canada, UK, and other western nations, should also prepare in case they are targeted in the near future. Specifically, organizations in energy, transportation, and other critical infrastructure sectors should be on high alert as they have been preferred targets of previous Russian cybercrime campaigns. If targeted, organizations without endpoint protection that prevents the execution of malicious executables will be the most likely to fall victim to these types of attacks.
What are the recommendations?
Barracuda MSP recommends the following actions to reduce the risk of a successful wiper malware attack:
• Deploy endpoint protection in your organization and ensure it is set to prevent the execution of malicious executables.
• Monitor for IOCs associated with these attacks. Keep in mind that current lists are not exhaustive and that more IOCs will emerge as these attacks develop.
• Scan your environment for malware, first verifying that your scanning solution is up to date with relevant threat intelligence.
References
For more in-depth information about the recommendations, please visit the following links:
• https://www.cisa.gov/uscert/ncas/current-activity/2022/01/16/microsoft-warns-destructive-malware-targeting-ukrainian
• https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
• https://www.cyberscoop.com/ukraine-wiper-malware-eset-sentinelone-whispergate/
• https://twitter.com/ESETresearch/status/1496581903205511181
If you have any questions, please contact our Security Operations Center.
This post was based on a threat advisory issued by our Barracuda Managed XDR team. For more info on how to best prepare your MSP business to protect clients from cyberthreats, visit the Barracuda Managed XDR page.
