On January 13th, the Microsoft Threat Intelligence Centre (MSTIC) identified multiple cases of malware targeting organisations within the Ukraine. The Ukraine government has indicated that they have ‘evidence’ that the cyberattack was carried out by Russian nation-state actors. Russia has since stated that it has nothing to do with the attack. Regardless of who initiated the attack, it is seeming that it could prove more destructive and affect more businesses than initially expected. In this article we will discuss how the cyberattack affects systems, the indicators of compromise, how it could have been avoided, and how we can help you from avoiding a similar attack on your business.
The attack explained
What makes this attack particularly interesting, is that the malware was disguised as ransomware. In this first stage of the attack, once the malware enters a system, it overwrites the Master Boot Record with a ransom note requesting the user to pay $10,000 of Bitcoin to a specified cryptocurrency wallet, then send a message to a Tox ID in order to recover the data from the corrupted hard drive.
However, this ransom note is a ruse, and addition malware is executed when the device is powered off. The true malware destroys the Master Boot Record and its contents. This is not common behaviour for criminal ransomware as:
- Nearly all ransomware encrypts the contents of files and the system. This malware overwrites the Master Boot Record, making it impossible to recover the data.
- Ransomware payloads are typically customised for each victim
- It is not common for a ransomware attack to make use of a Tox ID for communication
In the second stage of the attack, Stage2.exe downloads the additional malware hosted on a Discord channel. Once the malware is executed, it will locate all files with a certain file extension and corrupt them. Some of the files that would be corrupted include ZIP files, config files, Excel Documents, Word Documents, images and website documents. This process is typically irreversible, unless the business has a comprehensive backup solution.
It is assumed that this attack was carried out by a Russian nation-state actor as part of the countries ongoing intimidation campaign against the Ukraine. Initially the organisations affected by this malware attack were government and public sector digital infrastructure, including websites. The malware also spread to other nonprofit and information technology companies. As the attack was not a true ransomware attack, it is believed that it was designed to cause unrest within the country. This attack also coincided with Russia mobilising 100,000 troops on the border of Ukraine.
What this means to your organisation
Thankfully, Microsoft has created and implemented detections for this malware family via Microsoft Defender Antivirus and Microsoft Defender for Endpoint for both on-premises and cloud environments. If your business has either of these solutions, it will be protected from this attack.
Attacks from nation-state actors are often highly sophisticated and difficult to detect. However, in general, business should follow the below steps to avoid falling victim to an attack:
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
- Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
- Implement a comprehensive email security solution to reduce the chance of a phishing attack
- Keep all systems, operating systems and applications up to date with security patches
- Implement a disaster recovery plan and make use of a backup solution Therefore, if your business does fall victim to an attack, there is not significant downtime or loss of data
This attack is another example of how the cybersecurity threat landscape is constantly evolving with hackers disguising attacks and launching destructive multi-stage attacks on a wide variety of businesses. This also further proves, no business is safe from being the target of such an attack, regardless of industry, geolocation or size.