Microsoft has identified a new malware family called ‘Whispergate’ that has been masquerading as ransomware while carrying out “more destructive actions.”
The “ransomware” – which is in fact malware – has hit companies in Ukraine, but Microsoft admits there may be unidentified victims in “other geographical locations,” which could include the US and the UK.
The malware also serves as the latest reminder of the importance of installing antivirus software, which may just save your skin if you’re targeted by this sort of attack.
What Is the ‘Ransomware’ Demanding?
Infected victims are served a ‘ransom note’ informing them that their “hard drive has been corrupted” and that $10,000 worth of Bitcoin is required for recovery.
The note is displayed by overwriting the Master Boot Record (MBR) – the part of the hard drive which instructs devices on how to load their operating system. This method isn’t usually used in ransomware attacks; the first sign that this may be something quite different.
According to the Microsoft Threat Intelligence Center (MSTIC), the malware is often named “stage1.exe” and executed via Impacket – a collection of Python classes often used by threat actors for executing attacks.
Stage2.exe – another file involved in the attacks – is then used to download file-corrupting malware onto victims’ computers. The malware identifies files in specific directories, overwrites them and subsequently renames the files.
“The malware identifies files in specific directories, overwrites them subsequently renames the files – there is no ransom recovery mechanism.” – Microsoft.
Aside from targeting system MBRs, MSTIC noted there were several other features of the code that indicated this was not a typical ransomware attack.
For example, ransomware message demands are usually specific to the target (the bigger the company, the more is demanded), whereas this message sent the same ransom payload to all victims.
Another related feature included in most ransomware attacks are custom IDs that victims are supposed to use when corresponding with the attacker – so attackers can know which decryption keys to send once ransoms have been paid. There were no custom IDs featured in reported attacks.
When Was the Threat Detected and Who’s Behind it?
According to the MSTIC, the malware first appeared on victims’ systems on January 13 of this year. All the affected entities that they have found so far are based in Ukraine.
In another post, Microsoft explains that the attack “ is designed to look like ransomware but lacks a ransom recovery mechanism” with the purpose of rendering “targeted devices inoperable rather than to obtain a ransom.”
The company admits, however, that it “do[es] not know the current state of this attacker’s operational cycle” and that this may be affecting further organizations based in Ukraine and “other geographical locations.”
“It is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.” – Microsoft.
Quite concerningly, those affected include government systems, non-profits, and information technology organizations, meaning the actual scale of the attack could be larger than presently understood.
Reuters reports that Ukraine believes the ransomware could have been created by a group linked to Belarusian intelligence services and that the malware is similar to other malicious codes previously used by Russian threat actors.
EU foreign policy chief Josep Borrell, on the other hand, said he “has no evidence who was responsible,” but that “we can imagine who is behind it.”
Could the Malware Affect US Businesses?
Ransomware attacks are becoming more and more prevalent, and the US tops the list of most targeted countries – in late 2021, cybersecurity firm BitDefender found that 25% of ransomware attacks are targeted at the US.
Despite the rise of ‘ransomware-as-a-service’ – commercially available ransomware that can be purchased online – the existence of fake ransomware attacks, such as this one, illustrates that victims’ genuine fears about real ransomware are all that’s needed to make a quick buck rather than the malicious code itself.
There have been recent reports of other ‘fake’ ransomware hitting US companies and organizations.
In November 2021, website security specialists Sucuri reported that WordPress sites were targeted with fake ransomware messages demanding Bitcoin payments (roughly worth $6,000) or files would be ‘deleted’.
In fact, none of the files referenced by the threat actor were encrypted, and the ransomware message turned out to simply be an HTML page generated by a phony plugin. A simple SQL command was found to be identifying all articles with their statuses set to ‘published’ and changing it to ‘null’ – so all the files were still accessible, they were just hidden.
How Can My Business Protect Itself?
The two types of ‘fake’ ransomware attacks mentioned in this article link to different preventative measures your company should be taking to protect itself against malware.
The Ukrainian case is the latest reminder of the importance of installing antivirus software on your devices, be it your personal computer or company devices.
Computers with reliable antivirus software would have been able to root out the malware that was masquerading as ransomware, and valuable files wouldn’t have been deleted.
Microsoft also recommends “reviewing all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication” as well enabling multi-factor authentication.
The WordPress case, on the other hand, reflects a need for every person in your business to be clued up on what a ransomware attack looks like, and how it works. Having a ransomware response plan that all employees are clued up on is a must in 2022.
Paying a ransomware threat group money for your information is one thing – but giving in to a threat actor that hasn’t actually encrypted or stolen any of your files, or won’t actually be able to recover anything even if you do pay, would be even more frustrating.