The WhisperGate malware used in multiple cyber attacks against Ukrainian government targets – allegedly by malicious actors linked to or backed by the Russian government – remains the subject of ongoing analysis by security researchers as the international crisis over Ukraine gathers.
WhisperGate is a wiper-like worm with some similarities to NotPetya; as previously reported, it “masquerades” as a ransomware but rather than encrypting data, it targets a systems master boot record for destruction.
Calvin Gan, senior manager of tactical defence at F-Secure, said that the tactic of disguising wiper malware as ransomware was not a new one, and was well-favoured by actors linked to national governments.
“WhisperGate or DEV-0586 as Microsoft calls, it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware,” said Gan.
“NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the US. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilising wiper malware on their target organisations in the Middle East.
“With the usage of wiper malware, it is clear that the attackers are not after financial gain but are more motivated to cripple the target operations. Overwriting the Master Boot Record [MBR] would render the machine unbootable thus making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR,” he said.
Researchers at Cisco Talos, meanwhile, shared details of WhisperGate’s chain of attack. It has assessed as of a few days ago (to a medium degree of confidence) that the attackers behind it were in possession of stolen credentials and had had access to their targets for some time. As Talos’ team noted, this is a common tactic of advanced persistent threat (APT) groups, lending credence to the speculation the attacks were backed by Moscow.
In a WhisperGate infection, the victim first receives a payload that makes an attempt at wiping the MBR and replacing it with the “ransom note”, while at the same time it tries to destroy the C: partition by overwriting it with fixed data – something that differentiates it from NotPetya.
The second stage, said Talos, is a downloader that fetches the third stage, a dynamic link library (DLL) file, from a Discord server URL hardcoded into the downloader. This DLL, coded in C#, drops a fourth stage wiper payload that deletes all data on the endpoint – Talos’ researchers said this was “probably a contingency plan” if the first stage didn’t work right.
Rafe Pilling, a senior security researcher at Secureworks’ Counter Threat Unit, said: “To be clear, WhisperGate is a destructive malware, not ransomware. No one will get their data back. While it is unlikely that organisations outside of Ukraine will be directly targeted, customers should consider their exposure to collateral damage via service providers or business partners in Ukraine.
“Organisations should be extra vigilant and maintain current backups of business-critical systems and data, exercise restoration processes before they are needed, and ensure that backups cannot be impacted by ransomware-style or wiper malware attacks.”
Best practice for guarding against a WhisperGate-style attack reflects best practice for fending of traditional ransomware gangs – to maintain thorough, regularly updated and tested, and protected backups; to develop business continuity plans; to segment networks and limit access to high-risk assets; to keep all systems and software patched and up-to-date; and to implement endpoint detection and response (EDR) and investigate any and all alerts.