Microsoft discovered the WhisperGate wiper attacking Ukrainian users

Microsoft says it discovered a destructive attack on Ukrainian users using the WhisperGate wiper, which tried to impersonate a ransomware, but in fact did not provide victims with data recovery options.

In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host.

WhisperGate wiper

Such malware is usually used either to mask other attacks and remove important evidence of a hack, or to perform sabotage in order to inflict maximum damage on the victim and prevent it from performing its usual activities, as was the case with the Shamoon, NotPetya or Bad Rabbit attacks.

Currently, our investigation teams have identified malware on dozens of affected systems, but this number may increase as the investigation continues.Microsoft experts said.

According to the company, the attacks began on January 13, and the affected systems belonged to several Ukrainian state institutions, as well as non-profit organizations and information technology companies. Similarly to cases of NotPetya and BadRabbit wipers, the new malware also comes with a component that overwrites the MBR and prevents infected systems from booting.

The researchers have not yet been able to determine the vector of malware distribution, and therefore it is unclear whether the attack affected anyone else besides Ukrainian targets.

WhisperGate replaces the usual boot screen with a ransom note, which researchers say contains an amount, a bitcoin address, and a Tox ID to contact the attackers. So far, no payments have been made to the wallet of criminals.

However, experts note that it is useless to pay: even if the victims manage to restore the MBR, the malware deliberately damages files with certain extensions, overwriting their contents with a fixed number of bytes 0xCC, bringing the total file size to 1 MB. The affected extensions are listed below.

3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP file

Microsoft experts have said that so far, they have not been able to link these attacks to any specific hack group, and they are currently tracking the attackers under the ID DEV-0586.

Attacks on Ukrainian sites

At the end of last week, we already wrote that many Ukrainian sites suffered from cyberattacks and were defaced.

As the Ukrainian authorities have now said, Russian hackers are responsible for this attack:

All the evidence points to Russia being behind this cyberattack. Moscow continues a hybrid war and is actively building up its forces in the information and cyberspace.- the ministry said in a statement.

The ministry says that the purpose of this attack is “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining confidence in the government on the part of Ukrainians.”

I also recall that I reported that Russian-speaking hackers attacked the government infrastructure of Poland.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *