Threat Signal Report

Wiper malware hit Ukrainian organizations

description-logo Description

UPDATE January 19: Updated Coverage section about the third malware that FortiGuard Labs has confirmed as a wiper malware.


FortiGuard Labs is aware of a report that multiple organizations in the Ukraine were impacted by destructive malware. The malware looks to be some kind of ransomware at first glance; however, it does not have the telltale signs of ransomware. It overwrites the victim's Master Boot Record (MBR) and files with specific file extensions without any recovery mechanism, which are enough to classify the malware as a destructive wiper malware.


Why is this Significant?

This is significant because the attack involves a wiper malware that destroys the victim's MBR and certain files without any recovery mechanism.


How Widespread is the Attack?

At this point, the attack only affected multiple unnamed organizations in Ukraine.


What the Details of the Attack?

Initial attack vector has not yet been identified.


This attack involves three malware.

The first malware overwrites the victim's Master Boot Record (MBR) which makes Windows OS unbootable and leaves a ransom note that reads below:


Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via

tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with your organization name.

We will contact you to give further instructions.


The second malware simply downloads a wiper malware hosted on a Discord channel and executes it.


The wiper malware searches for and overwrites files with the following file extensions on the victim's machine:


.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP


It also changes the file extension of the affected file to a random four-byte extension.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the malware involved:


W32/KillMBR.NGI!tr

MSIL/Agent.FP!tr.dldr

MSIL/Agent.QWILJV!tr

W32/KillFiles.NKU!tr.ransom

MSIL/VVH!tr


The following AV coverage is available for the the third malware which FortiGuard Labs has confirmed as a wiper malware:

MSIL/Agent.VVH!tr


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.