Government agencies and related organisations in Ukraine have been crippled by a series of cyberattacks purporting to be from ransomware gangs. But those behind the ‘fake ransomware’ attacks actually targeted data destruction, rather than stealing information, and though experts believe the malware involved is unlikely to spread widely, this could mark the beginning of a new dimension of the ransomware threat.
The attacks are thought to have been carried out by the Russian Government, and could be a precursor to more serious cyber warfare targeted at Ukraine and elsewhere.
What are the fake ransomware attacks on Ukraine?
More than 70 government websites, as well as non-profit organisations and IT companies, were targeted using malware nicknamed “Wiper,” and the number of victims is continuing to climb. The malware is designed to look like ransomware but lacks a ransom recovery mechanism. This means that the malware “is designed to render targeted devices inoperable rather than to obtain a ransom” states a blog from the Microsoft Threat Intelligence Centre.
The malware is triggered when the target device is turned off. A ransom note then appears on the screen with a bitcoin address demanding $10,000 in bitcoin. However, the ransom is a ruse, instead the malware destroys the contents of the files on the device.
The techniques being used to attack these organisations are not new, explains Vlad Styran, co-founder and CEO of Ukrainian security company Berezha Security Group. “The technical means aren’t very sophisticated but they are impactful,” he says. “The techniques in use are out of date, but the hacker’s attitude is: if old stuff works why try harder?”
The new dimension to ransomware attacks
The resurgence of the old technique of data destruction may add a new dimension to efforts to combat the tide of ransomware, argues Yelisey Boguslavskiy, head of research at security company Advanced Intelligence. “Ransomware itself is currently in crisis,” he argues. “It’s clear that fewer and fewer companies are willing to pay a ransom even when they’re hit.”
Because of this, criminal gangs are having to get creative, and data annihilation may become a final intimidation tactic if the victim company is refusing to cooperate. “A lot of these individuals who are currently trying to get a profit out of ransom and are not yet in profit may start doing this digital vandalism, in order to intimidate businesses,” Boguslavskiy says. “Businesses are vandalised just to force them to do something, which is actually my main concern about this novel malware.”
Possible precursor to hybrid warfare between Russia and Ukraine
Though there is no official confirmation, Russia is thought to be behind the attacks, with the methods deployed being very similar to those used in a cyber campaign against Ukraine between 2015 and 2017. “The playbook is perfectly aligned,” says Styran. “Fake ransomware like Wiper, that masquerades as ransomware, is site defacement for maximum publicity.” This “has been carried out by Russia before, thereby implicating them as the probable suspects this time round,” he says, adding: “If it smells like Russia and looks like Russia, it’s most probably Russia.”
If it smells like Russia and looks like Russia, it’s most probably Russia.
Vlad Styran, Berezha Security Group
The last time Ukraine was targeted with such a campaign the malware used became the now-infamous NotPetya, which later began circulating globally and caused $10bn of damage according to a report by Brookings Institute. This cannot be the case this time, however, as none of the processes are automated, believes Styran. “Last time it went out of control, it was fully automated and spread via the shadow internet by peer-to-peer VPN connections, in an uncontrolled manner, because that’s what it was designed for,” he says. In this instance, all of the processes are being conducted manually, which has different implications. “Now they did most of it manually, which is new, and that gives away the intention to harm Ukraine and only Ukraine,” Styran adds.
The cyberattacks come at a time of political unrest for Ukraine, as Russian troops amass and train near the Ukrainian border. It is possible that these attacks are being carried out as part of further aggressive manoeuvres by the Russian government, and as a precursor to kinetic warfare, Styran says. “What is happening now very much looks like exercises,” he says. “It’s not war yet.” But if war were to break out between Russia and Ukraine the results of any cyberattack would be less obvious, he explains. “Cyber war will look different, it will affect the infrastructure and logistics,” he says. “It won’t be this public, but more subtle and more impactful. When the shots start, I think that cyber will be much more destructive.”