Last week it was reported that Ukraine government servers were hit by a significant cyberattack that took down government websites. Some of the affected systems, including the Foreign Ministry’s website, displayed an ominous message written in Russian, Ukranian, and Polish. “Ukrainians! All data on the computer is being destroyed, it is impossible to recover it,” the message said. “All information about you has become public, be afraid and expect the worst.” No one claimed responsibility for the attack, but Russia currently has 100,000 troops positioned along its border with Ukraine, stoking fears of an impending invasion.
Right after the cyberattack, The Microsoft Threat Intelligence Center (MSTIC) said it had identified malware targeting Ukrainian organizations designed to destroy data. It works similar to ransomware but has several key differences. Most importantly, it doesn’t provide a way to pay a ransom or restore affected data. Instead, it wipes it permanently. According to MSTIC’s report, ransomware typically doesn’t target the Master Boot Record, which tells the computer how to load the operating system, but this malware does, overwriting it. Another difference is that this same malware was found on multiple systems, whereas each piece of ransomware is usually tailored per victim. Microsoft is still analyzing the malware, but it has already deployed protections through Microsoft Defender under the name WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha).