Ukrainian organizations hit by malware – Microsoft investigation

Representatives of the Microsoft Threat Intelligence Center (MSTIC) have found evidence of a destructive malicious operation targeting more than 70 organizations in Ukraine. On January 13, 2022, ransomware was detected in the websites of Ukrainian ministries and government agencies.

Microsoft is aware of the situation in Ukraine and the surrounding region, and therefore encourages companies to use the information contained in this article to protect themselves from any malicious activity.

The investigation into the causes of cyber attacks on Ukrainian state websites continues. To date, MSTIC has not found any relationship between this malicious activity, designated DEV-0586, and other known attack groups.

MSTIC notes that malware that looks like ransomware does not have a ransom mechanism and does not perform the main function of obtaining monetary compensation for restoring access to data. At the same time, the actions of such software cause inoperability of devices and systems.

Currently, according to information from Microsoft, malware has been found on dozens of affected systems, and this number may grow as the investigation continues. These systems span several government, non-profit and information technology organizations. All of them are located in the territory of Ukraine.

It is not yet known whether there are other affected organizations in Ukraine or in the world. However, it is unlikely that these affected systems reflect the full scale of the attack.

At this time, MSTIC is unable to assess the purpose of these destructive actions, but believes that they pose an increased risk to any government agency, non-profit organization or enterprise that is located or operates in Ukraine.

MSTIC recommends that all organizations immediately conduct a thorough investigation and activate security measures based on the information provided in this article.

Microsoft відкрито надає дані, необхідні для проведення розслідувань кожному, хто постраждав або міг постраждати від руйнівних дій програм.

Microsoft openly shares the data needed to conduct investigations with anyone affected or likely to be affected by the attack’s destructive actions.

MSTIC is also actively working with members of the global security community and other strategic partners to share information across multiple channels that can counter this evolving threat.

Microsoft uses the DEV-#### notation as a temporary name given to an unknown, recent or evolving threat cluster. This allows MSTIC to track it as a unique set of information, and as soon as it can identify a threat according to specific criteria, it will be given a separate name or assigned to already known groups.

Cyberattacks in Ukraine: Investigating the Situation

On January 13, 2022, Microsoft discovered activity that could lead to boot records (MBR) being deleted. During the investigation, it was found out that this is a unique ability of malware that was used to carry out attacks on Ukrainian organizations.

Stage 1: Replacing the MBR and displaying a fake ransom note.

The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In observed attacks, malware is run via Impacket, a publicly available capability often used by attackers for lateral movement and execution.

The two-stage malware overwrites the master boot record (MBR) on attacked systems with a ransom note (stage 1).

The MBR is the part of the hard drive that tells the computer how to boot the operating system. The ransom note contains a bitcoin wallet and a Tox identifier (a unique account identifier used in the Tox encrypted messaging protocol), which was not previously observed by MSTIC:

Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via

tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with your organization name.

We will contact you to give further instructions.

The malware runs when the affected device is turned off. Overwriting the MBR is not typical for cybercriminal ransomware. In fact, the ransomware message is a hoax, as is the fact that the malware destroys the MBR and the contents of the files it targets.

There are several reasons why this activity is inconsistent with the cybercriminal ransomware activity observed by MSTIC in the past:

  1. Messages that appear on the screen after ransomware activation are usually customized for each specific victim. In the case of the Ukrainian cyberattack, the same information about the ransom was observed from several victims. 
  2. Almost all ransomware encrypts the contents of files in the file system. In this case, the malware overwrites the MBR without a recovery mechanism. 
  3. Specific payment amounts and cryptocurrency wallet addresses are rarely specified in modern ransom notes, but were specified in DEV-0586. The same bitcoin wallet address was observed in all DEV-0586 attacks, and at the time of analysis, the only activity was a small transfer on January 14.
  4. The Tox ID with the Tox encrypted messaging protocol is rarely used as the only communication method. There are usually websites with support forums or multiple means of communication (including email) so that the victim can easily get in touch. 
  5. Most ransom notes include a user ID that the victim is instructed to send in their messages to the attackers. This is an important part of the process where the user ID is matched on the ransomware operation server with a decryption key for a particular victim. In this case, the ransom note does not include the user ID.

Microsoft will continue to monitor DEV-0586 activity and implement security measures for our customers. The current detections, advanced detections and IOCs used in our security products are detailed below.

Stage 2. File destruction malware activation

Stage2.exe is a file corruption malware loader. Once executed, stage2.exe downloads the next stage malware hosted on a Discord channel with a download link hardcoded into the loader.

Next-stage malware can best be described as file-destroying malware. When executed in memory, the corrupter finds files in specific directories on the system with one of the following hard-coded file extensions:


If the file has one of the above extensions, the corrupter overwrites the contents of the file with a fixed number of bytes 0xCC (1MB total file size). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing.

How to Protect Against Cyber Attacks: Microsoft’s Best Practices for Customers

MSTIC and the Microsoft security teams are working to create and implement detection tools for this activity. To date, Microsoft has implemented protections to detect this family of malware such as WhisperGate (for example, DoS:Win32/WhisperGate.A!dha) with Microsoft Defender Antivirus and Microsoft Defender for Endpoint wherever they are deployed – locally or in the cloud.

We are continuing our investigation and as more information becomes available, we will share important news with affected customers, as well as with partners from the public and private sectors.

The effects of the malware attacks mentioned in this article can be minimized by taking into account the security measures below:

  1. Use the enabled indicators of compromise to find out if they exist in your environment and assess potential intrusion. 
  2. Review all authentication activities for the remote access infrastructure, paying special attention to accounts configured with single-factor authentication. 
  3. Enable Multi-Factor Authentication (MFA) to block access to potentially compromised credentials and ensure that MFA is applied to all remote connections.

NOTE. Microsoft strongly encourages all customers to download and use passwordless solutions such as Microsoft Authenticator to secure their accounts.

  1. Enable Microsoft Defender Controlled Folder Access (CFA) for endpoint to prevent MBR/VBR modification.

Indicators of compromise (IOC)

The following list represents the IOCs discovered during our research. We encourage customers to study these indicators in their environments and implement detection and protection tools to identify early signs of this type of ransomware intrusion and prevent future attacks on their systems.

Indicator  Type   Description  
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 SHA-256  Hash of destructive malware stage1.exe
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 SHA-256  Hash of stage2.exe
    Command line 

Impacket command line example showing the execution of destructive malware. The working directory changed depending on the observed intrusions.

Ukrainian companies can expand the level of security with the help of Microsoft Security services. Consultants from SMART business, a company that has been a Microsoft partner for over 13 years, will tell you how to do this.

If you have questions about expanding your company’s security or need professional advice, our experts are ready to help:

The article was prepared based on materials from Microsoft.

Posted in: