from the I-hope-that-they-have-backups-no,-of-course-they-won't dept.
Microsoft Warns of Destructive Disk Wiper Targeting Ukraine
[...] "All data on the computer is being destroyed, it is impossible to recover it," said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. "All information about you has become public, be afraid and expect the worst."
[...] Around the same time, Microsoft wrote in a post over the weekend, "destructive" malware with the ability to permanently destroy computers and all data stored on them began appearing on the networks at dozens of government, nonprofit, and information technology organizations, all based in Ukraine. The malware—which Microsoft is calling Whispergate—masquerades as ransomware and demands $10,000 in bitcoin for data to be restored.
But Whispergate lacks the means to distribute decryption keys and provide technical support to victims, traits that are found in virtually all working ransomware deployed in the wild. It also overwrites the master boot record—a part of the hard drive that starts the operating system during bootup.
"Overwriting the MBR is atypical for cybercriminal ransomware," members of the Microsoft Threat Intelligence Center wrote in Saturday's post. "In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC."
Over the weekend, Serhiy Demedyuk, deputy head of Ukraine's National Security and Defense Council, told news outlets that preliminary findings from a joint investigation of several Ukrainian state agencies show that a threat actor group known as UNC1151 was likely behind the defacement hack. The group, which researchers at security firm Mandiant have linked to the government of Russian ally Belarus, was behind an influence campaign named Ghostwriter.
Ghostwriter worked by using phishing emails and theft domains that spoof legitimate websites such as Facebook to steal victim credentials. With control of content management systems belonging to news sites and other heavily trafficked properties, UNC1151 "primarily promoted anti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting Lithuania, Latvia, and Poland," authors of the Mandiant report wrote.
'Russian-backed' Hackers Defaced Ukrainian Websites as Cover for Dangerous Malware Attack
Malicious malware posing as ransomware has been discovered on multiple computer systems in the Ukraine following a hacking attack on Friday that targeted more than 70 government websites.
Hackers exploited a known vulnerability in a content management system used by government agencies and other organisations to deface websites with threatening messages written in Ukrainian, Polish and Russian.
The Ukrainian government has blamed a Russian-influenced hacking group for defacing government websites with messages warning Ukrainians "to expect the worst".
But it emerged over the weekend that Friday's attacks appeared to have been a distraction exercise to divert attention from more serious malware implanted on Ukrainian government and commercial computer systems.
Microsoft disclosed over the weekend that it had detected "destructive malware" on dozens of computer systems belonging to Ukrainian agencies and organisations, including IT companies, that work closely with the Ukrainian government.
The malware, first detected on 13 January 2020, masquerades as ransomware, but is designed to destroy information on infected computer systems without offering victims the ability to recover the data in return for a ransom payment.