Alert - Wiper malware targeting Ukrainian organizations

Number: AL22-001
Date: January 17, 2022   

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

Microsoft Threat Intelligence Center (MSTIC) published a blog post detailing a malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. campaign targeting multiple Ukrainian organisations ^{Footnote 1}.

Details

On 15 January 2022, MSTIC published a blog post highlighting a malware campaign targeting Ukrainian organisations in various sectors. The United States Cybersecurity & Infrastructure Security Agency (CISA) amplified this publication on 16 January 2022  ² .

MSTIC indicates that initial evidence of this campaign surfaced on victim systems in Ukraine on January 13, 2022. Affected sectors currently include government, non-profit, and information technology, with the possibility of more organisations and sectors being affected as the situation evolves. Microsoft states, “MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine.” ^{ootnote 1}

The malware being delivered purports to be ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. , as a ransom note is provided, but there is no mechanism for recovery and targeted devices are inoperable after infection. The malware overwrites the contents of the master boot record (MBR), a small portion of the hard drive that tells the computer how to load its operating system when the computer is powered on. In addition, second-stage malware downloads and executes malicious code designed to overwrite OverwriteTo write or copy new data over existing data. The data that was overwritten cannot be retrieved. files containing specific file extensions (see MSTICs blog^{Footnote 1} for a list of 189 file extensions so far).

The MSTIC blog post also provides indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. and other recommended actions for system owners and operators responsible for defending their systems and networks from cyber threats. Microsoft advises monitoring their blog post as it will be updated if the situation evolves.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).