Microsoft Warns of Malware Designed as Ransomware that Deletes User Files

Microsoft is warning users of a malware that is designed as a ransomware, but is actually deleting the files of its victims. According to the tech giant, the code is designed to render the targeted devices inoperable

As of press time, the full scope of its impact remains unknown.

Microsoft Identified a New Malware Family Called 'Whispergate'

According to the story by Tech.co, Microsoft has just identified a new malware family known as "Whispergate." This malware operates by masquerading as ransomware despite carrying other more destructive actions.

Whispergate, which is actually a malware, hit companies in Ukraine but Microsoft is now admitting that there could also be unidentified victims in other places, which possibly include the United Kingdom and United States.

Infected Victims Given Standard 'Ransomware Note'

Infected victims are given the standard "ransomware note," informs them that their hard drive has been corrupted. The ransom note includes a demand of $10,000 worth of Bitcoin to recover the files. To add, the note is displayed by the MBR or MAster Boot Record, which is the part of the hard drive that instructs the devices on how to load their own operating system.

The method, however, is not usually being used in ransomware attack, which makes Whispergate rather different from the rest. According to MSTIC or the Microsoft Threat Intelligence Center, the malware is usually called "stage1.exe" and is executed through Impacket. Impacket is a collection of different Python classes that is usually used by threat actors for executing certain attacks.

Microsoft Warns that No Ransom Recovery Mechanism Exists

Stage2.exe, however, is another file that is involved in the attacks and works by downloading the malware directly onto the victim's computers. It then identifies files in certain directories, overwrites them, and before eventually renaming them.

Microsoft has noted, however, that there is still no ransom recovery mechanism.

Read Also: Breaking: Harmony Shard 0 Stopped Working for 7 Hours | Multiple Propagation Issues Caused by Heavy Spam Traffic

Malware Officially Spotted on January 13, 2022

Aside from targeting system MBRs, MSTIC states that there are also other several features found in the code indicating that it is not your usual ransomware attack. An example of this is demands of ransomware messages are usually very specific to the target

In contrast, the message sent on the recently found malware is just a random payload.

One related feature that is included in the majority of ransomware attacks are custom IDs that the victims are instructed to use when communicating with the attacker. There are, however, no custom IDs featured in the attacks reported.

MSTIC notes that the malware initially appeared in victims' systems on Jan. 13 and that all affected entities that have been identified so far are based in Ukraine.

In yet another post, Microsoft has noted that the attack is actually designed to look like a ransomware but, without the ransom recovery mechanism, it seems like the purpose is really to make targeted devices inoperable instead of getting money out of victims.

Related Article: US and Russia's Investigation Captured Hackers Likely Responsible for Colonial Pipeline Cyberattack | First Cooperation in 8 Years

This article is owned by Tech Times

Written by Urian B.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics