View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 18, 2022updated 07 Jul 2022 10:16am

‘Fake’ attacks on Ukraine add a new dimension to the ransomware fight

Old cyberattack techniques being deployed against targets in Ukraine should be of concern to tech leaders battling the ransomware threat.

By Claudia Glover

Government agencies and related organisations in Ukraine have been crippled by a series of cyberattacks purporting to be from ransomware gangs. But those behind the ‘fake ransomware’ attacks actually targeted data destruction, rather than stealing information, and though experts believe the malware involved is unlikely to spread widely, this could mark the beginning of a new dimension of the ransomware threat.

Fake ransomware attacks on Ukraine

The Ukrainian parliament. The country’s national institutions have been under attack from cybercriminals. (Photo by Sean Gallup/Getty Images)

The attacks are thought to have been carried out by the Russian Government, and could be a precursor to more serious cyber warfare targeted at Ukraine and elsewhere.

What are the fake ransomware attacks on Ukraine?

More than 70 government websites, as well as non-profit organisations and IT companies, were targeted using malware nicknamed “Wiper,” and the number of victims is continuing to climb. The malware is designed to look like ransomware but lacks a ransom recovery mechanism. This means that the malware “is designed to render targeted devices inoperable rather than to obtain a ransom” states a blog from the Microsoft Threat Intelligence Centre.

The malware is triggered when the target device is turned off. A ransom note then appears on the screen with a bitcoin address demanding $10,000 in bitcoin. However, the ransom is a ruse, instead the malware destroys the contents of the files on the device.

The techniques being used to attack these organisations are not new, explains Vlad Styran, co-founder and CEO of Ukrainian security company Berezha Security Group. “The technical means aren’t very sophisticated but they are impactful,” he says. “The techniques in use are out of date, but the hacker’s attitude is: if old stuff works why try harder?”

The new dimension to ransomware attacks

The resurgence of the old technique of data destruction may add a new dimension to efforts to combat the tide of ransomware, argues Yelisey Boguslavskiy, head of research at security company Advanced Intelligence. “Ransomware itself is currently in crisis,” he argues. “It’s clear that fewer and fewer companies are willing to pay a ransom even when they’re hit.”

Because of this, criminal gangs are having to get creative, and data annihilation may become a final intimidation tactic if the victim company is refusing to cooperate. “A lot of these individuals who are currently trying to get a profit out of ransom and are not yet in profit may start doing this digital vandalism, in order to intimidate businesses,” Boguslavskiy says. “Businesses are vandalised just to force them to do something, which is actually my main concern about this novel malware.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Possible precursor to hybrid warfare between Russia and Ukraine

Though there is no official confirmation, Russia is thought to be behind the attacks, with the methods deployed being very similar to those used in a cyber campaign against Ukraine between 2015 and 2017. “The playbook is perfectly aligned,” says Styran. “Fake ransomware like Wiper, that masquerades as ransomware, is site defacement for maximum publicity.” This “has been carried out by Russia before, thereby implicating them as the probable suspects this time round,” he says, adding: “If it smells like Russia and looks like Russia, it’s most probably Russia.”

If it smells like Russia and looks like Russia, it’s most probably Russia.
Vlad Styran, Berezha Security Group

The last time Ukraine was targeted with such a campaign the malware used became the now-infamous NotPetya, which later began circulating globally and caused $10bn of damage according to a report by Brookings Institute. This cannot be the case this time, however, as none of the processes are automated, believes Styran. “Last time it went out of control, it was fully automated and spread via the shadow internet by peer-to-peer VPN connections, in an uncontrolled manner, because that’s what it was designed for,” he says. In this instance, all of the processes are being conducted manually, which has different implications. “Now they did most of it manually, which is new, and that gives away the intention to harm Ukraine and only Ukraine,” Styran adds.

The cyberattacks come at a time of political unrest for Ukraine, as Russian troops amass and train near the Ukrainian border. It is possible that these attacks are being carried out as part of further aggressive manoeuvres by the Russian government, and as a precursor to kinetic warfare, Styran says. “What is happening now very much looks like exercises,” he says. “It’s not war yet.” But if war were to break out between Russia and Ukraine the results of any cyberattack would be less obvious, he explains. “Cyber war will look different, it will affect the infrastructure and logistics,” he says. “It won’t be this public, but more subtle and more impactful. When the shots start, I think that cyber will be much more destructive.”

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.