The Threat Intelligence Center (MSTIC), one of the Microsoft Divisions dedicated to the detection of cyber attacks and vulnerabilities in networks, has alerted a sophisticated attack in recent days aimed at companies and Ukrainian organizations.
“This malware appeared for the first time in the systems of victims in Ukraine on January 13, 2022,” they explain from the company.
“It is designed to look like other Ransomware programs (programs that block or encrypt the data from a computer until the victim pays a rescue) but it lacks a rescue mechanism, its goal is to destroy and disable devices,” add.
MST engineers have detected this software in more than a dozen teams covering multiple government organizations, NGOs and technology companies, all based in Ukraine.
The number of infected, in any case, could be much greater, since it is a recent threat that are still investigating.
The attack adds to other acts of electronic sabotage that Ukraine has suffered in the last month, with the backdrop of a growing military tension with Russia.
Last Sunday, Sources of the Ukrainian government affirmed to have evidence of the involvement of Russia in a cyber attack against several government websites.
This attack took place during the dawn last Friday and is not directly related to the threat discovered by Microsoft, but caused the web pages of several Ukrainian ministries to be inaccessible for several hours.
Malware discovered by Microsoft is installed in the computers’ boot sector that manages to infect and shows a notice similar to those of other ransomware programs, demanding the payment of $ 10,000 in Bitcoin to recover the team’s files.
But, according to Microsoft, this is where this threat diverges about classic ransomware cases.
A second program, which runs just after infection, overwrites most files on the hard drive of the machine, making it impossible to recover them.
After overwriting the content, the software also changes the name of each file with an extension of four apparently randomly bytes.
Another track that this attack does not try to raise funds but to destroy the information stored on the device is that the on-screen notice does not include a contact form with the attacker, which would be the usual in a conventional attack to guide the victim in
The steps to follow to recover your information.
The MSTI has not pointed to Russia as a source of the attack, but it ensures being aware of the geopolitical situation in which Ukraine is located.
“At the moment there are no many common elements between the unique characteristics of the group behind these attacks and the groups that we have traditionally tracked,” explains Tom Burt, Vice President of Microsoft Security.
The company has notified the attack on the affected organizations and several security agencies of the United States.
New filters In some of the company’s safety tools already protect the systems of this attack.
From Microsoft, in any case, they recommend as a safety measure to redouble surveillance to government organizations and Ukrainian companies and activate additional protection functions such as two-step authentication.