The American Hospital Association (AHA) has urged healthcare organizations to review a recent Microsoft blog post that warns of a new malware variant that has been used by an Advanced Persistent Threat (APT) actor to attack critical infrastructure organizations in Ukraine.
The Microsoft Threat Intelligence Center detected a new destructive malware variant on January 13, 2022, that was being used by a previously unknown threat actor which Microsoft is tracking as DEV-0586. Microsoft has not found any notable associations with other tracked threat groups and the attacks so far have been limited to government, non-profit, and information technology organizations in Ukraine; however, there is a risk that the malware may be used in more widespread attacks.
The malware, dubbed WhisperGate by Microsoft, masquerades as ransomware. After executing on a system, a ransom note is displayed but there is no mechanism for recovering data. The malware is actually a Master Boot Record (MBR) wiper, which loads to the C:\PerfLogs, C:\ProgramData, C:\, and C:\temp folders. The malware, often named stage1.exe, executes when the device is powered down and destructs the MBR.
The MBR is the part of the hard drive which tells the computer how to load the operating system. The malware overwrites the MBR on a system to prevent the operating system from loading and displays a fake ransom note stating the victim should pay a $10,000 ransom to the attacker’s Bitcoin wallet. The wallet address is included in the note. Payment should not be made as there is no method of recovery.
Microsoft says a file corrupter malware has also been used in the attacks. The file, named stage2.exe, downloads the next-stage malware which is executed in the memory and corrupts a wide range of file types in certain directories on the system to ensure they cannot be restored.
Microsoft has provided indicators of compromise (IoCs) in the blog post that can be used to detect a potential intrusion. Microsoft urges organizations to review authentication activity for remote access infrastructure, especially for accounts with single-factor authentication to confirm authenticity. Any anomalous activity should be investigated.
Microsoft also recommends implementing multi-factor authentication and ensuring it is enforced for all remote connectivity, and to enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent any modification of the MBR/VBR.
Officials in Ukraine announced over the weekend that they have uncovered evidence that the attacks have been conducted by Belarus, which has strong ties with Russia. Threat actors have previously targeted critical infrastructure in Ukraine with a wiper malware called NotPetya. The attacks then spread rapidly around the world causing major disruption and data loss.
“As we have seen in the past, destructive malware targeting the Ukraine can spread rapidly across the globe. It is again strongly recommended to assess any direct, 3rd party business associate connections and email contacts in the Ukraine and that region of the world. Consider blocking such connections,” said John Riggi, AHA national advisor for cybersecurity and risk. “Geo-fencing for all inbound and outbound traffic related to Ukraine and that region may help mitigate direct cyber risk presented by this threat, it will have limited impact in reducing indirect risk, in which the malware transits through other nations, proxies and third parties. Thus, increased monitoring of networks and incident-response preparedness is also strongly recommended.”