Ukrainian "fake ransomware" malware attacks decrypted with cyber secure techniques.

Ukrainian Malware Attacks: Fake Ransomware Explained and why your business must be cyber-aware

Ukraine finds itself the centre of attention once more as troops from all sides gather at its borders. The Mainstream media sets about its rhetoric of subtle and persistent biases and succeeds in stoking fear and paranoia among their audiences.

Western media is now focused on reporting that Russia is supposedly threatening an invasion, and that this strife between the two nations could escalate. One tactic may be to harness technology to launch cyber-attacks on critical infrastructure.

On January 13th, the Microsoft Threat Intelligence Centre (MSTIC) identified multiple cases of malware targeting organisations within the Ukraine. The Ukraine government has indicated that they have ‘evidence’ that the cyberattack was carried out by Russian nation-state actors. Russia has since stated that it has nothing to do with the attacks. Regardless of who initiated the attacks, it seems that it could prove more destructive and affect more businesses than initially expected. In this article we will discuss how the cyberattack affected systems, the indicators of compromise, how it could have been avoided, and how we can help you from avoiding a similar attack on your business.

The attack explained

What makes this attack particularly interesting, is that the malware was disguised as ransomware. In the first stage of the attack, once the malware enters a system, it overwrites the C: drive’s Master Boot Record with a ransom note requesting the user to pay $10,000 of Bitcoin to a specified cryptocurrency wallet, then the user sends a message to a Tox ID (Encrypted messaging software) in order to recover the data from the corrupted hard drive.

However, this ransom note is a ruse, and in addition, further malware is executed. This true malware destroys the Master Boot Record and its contents. This is not common behaviour for criminal ransomware as:

  1. Nearly all ransomware encrypts the contents of files and the system. This malware overwrites the Master Boot Record, making it impossible to recover the data.
  2. Ransomware payloads are typically customised for each victim.
  3. It is not common for a ransomware attack to make use of a Tox ID for communication.

In the second stage of the attack, Stage2.exe downloads the additional malware hosted on a Discord channel. Once the malware is executed, it will locate all files with a certain file extension and corrupt them. Some of the files that would be corrupted include ZIP files, config files, Excel Documents, Word Documents, images and website documents. This process is typically irreversible, unless the business has a comprehensive backup solution.

It is assumed (not verified) that this attack was carried out by a Russian nation-state actor as part of the countries ongoing intimidation campaign against the Ukraine. Initially the organisations affected by this malware attack were government and public sector digital infrastructure, including websites. The malware also spread to other nonprofit and information technology companies. As the attack was not a true ransomware attack, it is believed that it was designed to cause unrest within the country. This attack also coincided with Russia mobilising 100,000 troops on the border of Ukraine.

What this means to your business

Thankfully, Microsoft has created and implemented detections for this malware family via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, for both on-premises and cloud environments. If your business has either of these solutions, it will be protected from this attack. Other security vendors have caried out similar actions.

Attacks from nation-state actors are often highly sophisticated and difficult to detect. However, in general, business should follow the below steps to avoid falling victim to an attack:

  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
  • Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Implement a comprehensive email security solution to reduce the chance of a phishing attack
  • Keep all systems, including operating systems and applications up to date with security patches
  • Implement a disaster recovery plan and make use of a backup solution. Therefore, if your business does fall victim to an attack, there is not significant downtime or loss of data

This attack is another example of how the cybersecurity threat landscape is constantly evolving, with hackers disguising attacks and launching destructive multi-stage attacks on a wide variety of targets. This also further proves, no business is safe from being the target of such an attack, regardless of industry, geolocation or size.

How we can help you

For businesses without in-house cybersecurity expertise, it can be difficult to stay up to date with modern attacks and prevention methods. For this reason, it is often beneficial to outsource your cybersecurity requirements to a trusted third-party.

Contact us to find out more about how we protect business from attacks similar to those on the unfortunate Ukraine organisations.

Our services include Cyber Essential accrediation

Managed Firewall and endpont protection.