In a blog published Saturday, Microsoft says it has discovered  a destructive malware being used to corrupt systems of multiple organizations in Ukraine. Microsoft Threat Intelligence Center (MSTIC) first discovered the ransomware-like malware on January 13. In response to this blog, an expert with Gurucul has offered perspective.

Experts Comments

January 19, 2022
Saumitra Das
CTO and Co-founder
Blue Hexagon

The tactics used in this attack seem to focus on disruption rather than moneymaking. Wiping the MBR causing systems to go down is not beneficial to criminal gangs out to make a quick buck but very effective for nation states as a provocation or tool used for larger aims. Usually, malware that extorts based on disruption does not usually make the system inoperable but merely throttles it.

January 18, 2022
Saryu Nayyar
CEO
Gurucul

As noted, this is not atypical ransomware as it overwrites the master boot record. Nation state threat actors usually have three objectives, spying for intelligence, intellectual property theft, and disruption/destruction. Clearly this is the latter as these threat actor groups aren't interested in simple financial gain. What is of note is the malware propagates through publicly available code used for lateral movement and execution. Part of that execution is downloading of file corruption

.....Read More

As noted, this is not atypical ransomware as it overwrites the master boot record. Nation state threat actors usually have three objectives, spying for intelligence, intellectual property theft, and disruption/destruction. Clearly this is the latter as these threat actor groups aren't interested in simple financial gain. What is of note is the malware propagates through publicly available code used for lateral movement and execution. Part of that execution is downloading of file corruption software from a Discord channel. This is where it is critical to employ adaptive machine learning and behavioral detection found in true next generation SIEMs identifying the lateral movement and connection attempts to Discord. In addition, identity and access analytics are extremely useful here to determine unusual or unauthorized remote access. The combination of the two goes beyond sifting through traditional IoCs that can easily be missed or escalated by traditional SIEMs or XDR tools.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.