In a blog published Saturday, Microsoft says it has discovered  a destructive malware being used to corrupt systems of multiple organizations in Ukraine. Microsoft Threat Intelligence Center (MSTIC) first discovered the ransomware-like malware on January 13. In response to this blog, an expert with Gurucul has offered perspective.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Saumitra Das
Saumitra Das , CTO and Co-founder
InfoSec Expert
January 19, 2022 11:10 am

<p>The tactics used in this attack seem to focus on disruption rather than moneymaking. Wiping the MBR causing systems to go down is not beneficial to criminal gangs out to make a quick buck but very effective for nation states as a provocation or tool used for larger aims. Usually, malware that extorts based on disruption does not usually make the system inoperable but merely throttles it.</p>

Last edited 10 months ago by Saumitra Das
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
January 18, 2022 2:02 pm

<p>As noted, this is not atypical ransomware as it overwrites the master boot record. Nation state threat actors usually have three objectives, spying for intelligence, intellectual property theft, and disruption/destruction. Clearly this is the latter as these threat actor groups aren\’t interested in simple financial gain. What is of note is the malware propagates through publicly available code used for lateral movement and execution. Part of that execution is downloading of file corruption software from a Discord channel. This is where it is critical to employ adaptive machine learning and behavioral detection found in true next generation SIEMs identifying the lateral movement and connection attempts to Discord. In addition, identity and access analytics are extremely useful here to determine unusual or unauthorized remote access. The combination of the two goes beyond sifting through traditional IoCs that can easily be missed or escalated by traditional SIEMs or XDR tools.</p>

Last edited 10 months ago by Saryu Nayyar
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x