{"id":104856,"date":"2022-01-15T18:28:30","date_gmt":"2022-01-16T02:28:30","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=104856"},"modified":"2023-10-13T08:43:30","modified_gmt":"2023-10-13T15:43:30","slug":"destructive-malware-targeting-ukrainian-organizations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/01\/15\/destructive-malware-targeting-ukrainian-organizations\/","title":{"rendered":"Destructive malware targeting Ukrainian organizations"},"content":{"rendered":"\n

June 2023 update<\/strong> – For more information about Cadet Blizzard’s tooling, victimology, and motivation, read this blog: Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog<\/a><\/strong><\/p>\n\n\n\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0586<\/strong> is now tracked as Cadet Blizzard<\/strong>. <\/p>\n\n\n\n

<\/p>\n\n\n\n

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine<\/a> and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.<\/p>\n\n\n\n

While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.<\/p>\n\n\n\n

At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker\u2019s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.<\/p>\n\n\n\n

Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post. MSTIC will update this blog as we have additional information to share.<\/p>\n\n\n\n

As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged with existing actors.<\/p>\n\n\n\n

Observed actor activity<\/h2>\n\n\n\n

On January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine.<\/p>\n\n\n\n

Stage 1: Overwrite Master Boot Record to display a faked ransom note<\/h3>\n\n\n\n

The malware resides in various working directories, including C:\\PerfLogs<\/em>, C:\\ProgramData<\/em>, C:\\,<\/em> and C:\\temp<\/em>, and is often named stage1.exe<\/em>. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution.<\/p>\n\n\n\n

The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC:<\/p>\n\n\n\n

Your hard drive has been corrupted.\nIn case you want to recover all hard drives\nof your organization,\nYou should pay us $10k via bitcoin wallet\n1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via\ntox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\nwith your organization name.\nWe will contact you to give further instructions.<\/pre>\n\n\n\n
The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC, including:<\/p>\n\n\n\n