Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

Teardown: Fake Ransomware Targeting Ukrainian Government

'Operation Bleeding Bear' Involved Disk-Wiping Malware, Resulted in Few Infections
Teardown: Fake Ransomware Targeting Ukrainian Government
Fake ransom note left by WhisperGate wiper malware (Source: CrowdStrike)

More information continues to emerge about destructive malware that infected some government systems in Ukraine. But the malware, which is built to leave PC hard drives corrupted and unrecoverable, only affected a small number of systems, and numerous questions about the incident remain unanswered.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Here's what's known: Last Thursday, about a dozen Ukrainian government websites were defaced with a message claiming Ukrainians' personal data had been stolen and the sites destroyed. At the same time, some systems were also destroyed by wiper malware.

The wiper malware attack came to light publicly on Saturday, when Microsoft detailed the destructive code, which it calls WhisperGate, saying it knew of "dozens of impacted systems."

Endpoint security products have now been updated to spot and block the malware from executing.

Ukraine's National Cyber Security Coordination Center is now referring to the attack as Operation Bleeding Bear. Government officials have not yet attributed the attack but have said they're eyeing both Russia and Belarus as having potentially been involved in the wiper malware and defacements.

The website defacements share two common denominators: Kitsoft, a Ukrainian firm that manages sites for numerous organizations in Ukraine, and October, which is the content management system it uses for all of the affected sites. The version of October installed on affected servers was outdated and had not yet been updated by Kitsoft to patch a vulnerability, designated CVE-2021-32648, that was fixed last August via a new software release.

On Monday, Ukraine's Security Service, the SBU, reported that government investigators found that "the attack used vulnerabilities of the website content management system, OctoberCMS, and Log4j, as well as compromised accounts of the developer's employees." Log4j refers to a critical, widespread vulnerability in older versions of Apache's logging software, which is built into thousands of different software products.

The SBU reports that the wiper malware destroyed both Windows and Linux systems. While the government has not detailed how many systems were corrupted, a government official told cybersecurity journalist Kim Zetter that systems at two agencies had been infected, while an unnamed source with knowledge of the investigation said that only a "handful" of systems had actually been infected.

(Editor's note: Cisco Talos now says the wiper malware infections appear to be tied to network intrusions that began by late summer 2021, with the malware being installed a short time later.)

3-Stage Wiper Malware Attack

Teardowns of the wiper malware by Microsoft, CrowdStrike and Elastic say that this was a three-stage attack:

  1. Malicious bootloader: This was designed to overwrite the master boot record, or MBR, of an infected hard drive and after the system boots, to overwrite every 199th sector on the hard drive to leave it corrupted - and thus inoperable - except for displaying a "fake ransom note" demanding a $10,000 payment in bitcoins, CrowdStrike says.
  2. Discord downloader: A "stage2.exe" file begins stage two of the attack, by downloading and executing a malicious payload hosted on the Discord communications platform. Elastic says this component adds an exclusion to prevent Windows Defender from scanning the root directory, then deactivates Windows Defender, and finally launches the third stage - a file wiper - by loading it into memory.
  3. File wiper: Separate to the MBR corruption, this fileless, file-corrupting component searches for a number of different file types. Elastic says the software "targets any local hard drives, attached USB drives or mounted network shares," and "overwrites the start of each targeted file with 1MB of static data … regardless of file size."

Unlike previous wiper malware attacks, for unknown reasons, an infected system isn't made to reboot after stage one completes. CrowdStrike says another component may have been designed to do this or the delay may have been intentional, perhaps to let the file-wiping tool run first.

Attack stages (Source: Elastic)

Expert Consensus: Fake Ransomware

All of the above teardowns of the malware agree: Despite it including a ransom note, this is fake ransomware.

The reasons for this conclusion are numerous. As Microsoft says, overwriting the MBR leaves no chance for recovery. In addition, "ransomware payloads are typically customized per victim," so attackers can track which victims pay in return for a decryptor, but in this attack the identical payload was seen across all victims, and all were directed to pay using the same bitcoin address, for a fixed amount in dollars, all of which is unusual, Microsoft says.

More evidence comes in the lack of communication channels offered to victims. The ransom note, for example, tells victims to make contact via the Tox encrypted messaging protocol. But Microsoft says almost every real ransomware attack gives victims multiple ways to communicate, such as via a data leak site, a dedicated darknet payment portal and an email address.

The bitcoin address included in the ransom note had yet to receive any ransom payments by Jan. 20. (Source: Elastic)

Seeing wiper malware get deployed against Ukrainian targets obviously echoes the 2017 NotPetya wiper malware attack, which the U.S. blamed on Russia.

NotPetya was malware - distributed as Trojanized updates via a legitimate Ukrainian accounting software developer's update server - that pretended to be ransomware, but that instead left infected hard drives unrecoverable.

CrowdStrike, however, says it has so far found "no technical overlap" that would tie last week's attack to NotPetya.

Whereas security experts lauded the engineering behind NotPetya, WhisperGate is less refined, researchers say. "This process is unsophisticated but reminiscent of the more evolved implementation of NotPetya's malicious MBR that masqueraded as the legitimate 'chkdsk' disk-repair utility while actually corrupting the infected host's file system," CrowdStrike says.

Was Intent Simply to Cause More Chaos?

As Russia threatens to invade Ukraine, Russian troops remain massed on the border and Russia has been conducting nearby military and naval exercises, the threat from Moscow remains clear.

Ukraine's Ministry of Foreign Affairs website featured this defacement on Jan. 14, 2022, telling viewers they should "be afraid and expect the worst," and claiming that all personal data being stored on the site had been stolen in the attack, for which Polish nationalists had supposedly been responsible.

Thus the website defacements and wiper malware may have been intended to bolster that, either via infections aimed at corrupting a large number of systems - which failed - or simply by adding to the perceived cyberthreat posed by Russia.

"By leveraging different malware components to wipe machines and corrupt files, it's apparent there was no intent to recover any fund, but likely a technique used to sow chaos and doubt into Ukraine's stability," Elastic says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.