On Saturday, a Microsoft Security blog identified a cyberattack that is ongoing against Ukrainian government agencies and organizations within the country. According to Microsoft, there are dozens of computer networks that have been affected by the malware campaign.
Interestingly, the attacks appear to be ransomware, a common type of cyberattack. However, Microsoft Security points out that in reality the attack is a dangerous malware masquerading as ransomware.
With the malware, threat actors a targeting government and private organizations in Ukraine. Some of the government agencies offer essential emergency response. At the core of the malware is the ability to freeze computers.
“Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” Microsoft Security confirmed in a blog post Saturday. “These systems span multiple government, non-profit and information technology organizations, all based in Ukraine.”
Microsoft points to the following reasons why this is not a ransomware attack:
- “Ransomware payloads are typically customized per victim. In this case, the same ransom payload was observed at multiple victims.
- Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery.
- Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586. The same Bitcoin wallet address has been observed across all DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14.
- It is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple methods of contact (including email) to make it easy for the victim to successfully make contact.
- Most criminal ransom notes include a custom ID that a victim is instructed to send in their communications to the attackers. This is an important part of the process where the custom ID maps on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.”
Microsoft first discovered the malware campaign last Thursday as a cyberattack gripped dozens of Ukraine government web portals at the same time. This attack came with the message “be afraid and expect the worst.”
Tensions between Ukraine and Russia continue, with Moscow placing 100,000 troops on the border. While the threat of a physical attack is clear, there is no doubt Russia could also engage in cyber warfare.
In the Ukraine, official has put the cause of the attacks on Russia, claiming hacking groups associated with Moscow were responsible. Russia has denied involvement and Microsoft did not say if it believes the attacks were state-sponsored.
Tip of the day: The Windows default font these days is Segoe UI, a fairly simple and no-nonsense typeface that’s used across many of Microsoft’s products. However, though some like this subdued style, others look to change Windows font to something with a bit more personality.
Thankfully, Microsoft does let you change Windows fonts, but it doesn’t make it particularly easy. I our tutorial we show you how to change system font in Windows 10, or restore it again if you don’t like the changes.