Microsoft identifies destructive malware targeting Ukrainian government agencies, looks like ransomware and has no ransom recovery mechanism

The Microsoft Threat Intelligence Center (MSTIC) has obtained evidence of malware operations that focus on and disrupt Ukrainian government agencies. The attack, dubbed 'DEV-0586' by MSTIC, is actually a ransomware-like move that encrypts files on a PC and takes them hostage and demands a ransom in exchange for a decryption key. It does not have a mechanism to collect the ransom and is intended to make the device inoperable.

Malware attacks targeting Ukraine government --Microsoft On the Issues

'DEV-0586' was first detected on January 13, 2022. According to MSTIC's research, there are two types of malware, and what is called 'stage1.exe' exists in working folders such as 'C: \ PerfLogs', 'C: \ ProgramData', 'C: \', and 'C: \ temp'. Then overwrite the master boot record (MBR) of the damaged system with a ransom note. The content of the memo is 'If you want to recover the HDD, you have to pay Bitcoin', which is well known for ransomware attacks.

However, ransomware usually encrypts the contents of the file to request 'I will send you the key to decrypt it, so pay the ransom', but since 'DEV-0586' is malware disguised as ransomware, it can be recovered. It is said that the MBR will be overwritten without any means. As for the contents of the ransom memo, if it is ransomware, there are multiple contact methods including forums and emails so that the victim can be contacted, but in the case of 'DEV-0586', only the encrypted communication protocol / Tox ID Or, there is no custom ID to link to the decryption key, and it says 'it's just in a format like that'.

Another so-called 'stage2.exe' is a malicious file corruption malware downloader. At runtime, stage2.exe downloads the next stage of malware hosted on Discord, looks for a specific extension in a specific folder in the system, and if it hits, overwrites the entire contents of the file and then names the file. Will be changed to a random 4-byte extension. The target extensions are as follows.

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU .SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM. VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX YML .ZIP

According to MSTIC, there are no signs that the malware is exploiting the vulnerabilities of Microsoft products and services.

Ukrainian officials have reported that the attack was the work of a group related to Belarusian intelligence. Belarus is a pro-Russian ally, and the malware is similar to that used by groups associated with Russian intelligence.

EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack | Reuters
https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/