Thursday, May 19, 2022
HomeCyber SecurityInformation-wiping malware hitting Ukrainian computer systems shows faux ransom demand • Graham...

Information-wiping malware hitting Ukrainian computer systems shows faux ransom demand • Graham Cluley


Somebody is focusing on Home windows computer systems in Ukraine with malware, and for some purpose they need it to seem like ransomware.

As Microsoft experiences, a number of organisations in Ukraine have been focused by malware which shows what seems to be a ransom demand on boot-up.

The message saved within the arduous disk’s grasp boot file (MBR) reads as follows:

Your arduous drive has been corrupted.
In case you wish to recuperate all arduous drives
of your group,
It is best to pay us $10k by way of bitcoin pockets
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and ship message by way of
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
along with your group identify.
We’ll contact you to offer additional directions.

Nevertheless, the ransom demand is faux. The malware – which Microsoft is asking WhisperGate – wipes knowledge information in chosen directories on a sufferer’s laptop relatively than encrypting them.

As soon as the malware has performed its soiled work, information with the next extensions may have been overwritten with 1MB price of “Ì” characters (0xcc in hexadecimal):

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

As well as, overwritten information are renamed with a seemingly random four-character extension.

In accordance with Microsoft, the assaults have been seen at a number of authorities, non-profit, and data know-how organisations.

Signal as much as our e-newsletter
Safety information, recommendation, and ideas.

I hope these organisations have the potential to find out how an attacker may need contaminated their programs, and entry to a safe backup of their knowledge information.

One large questions goes unanswered. Who could be behind the assault, and why they could be doing it? No-one has definitive solutions for that but, however anybody who’s maintaining updated with the geopolitical scenario within the space will probably have their suspicions…

Discovered this text attention-grabbing? Observe Graham Cluley on Twitter to learn extra of the unique content material we publish.



Graham Cluley is a veteran of the anti-virus business having labored for numerous safety corporations for the reason that early Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he frequently makes media appearances and is an worldwide public speaker on the subject of laptop safety, hackers, and on-line privateness.

Observe him on Twitter at @gcluley, or drop him an e mail.



RELATED ARTICLES

Most Popular

Recent Comments