WhisperGate is a threatening MBR (Master Boot Record) wiper posing as ransomware. The malware is capable of devastating the infected machines completely, leaving them unable to even boot. The threat was discovered on January 13, 2022, by the researchers at Microsoft's Threat Intelligence Center, who noticed the unusual activity on multiple systems in Ukraine. A local cybersecurity expert shared with the Associated Press that the attackers most likely managed to infect the government network through a supply-chain attack.
So far, the attack can not be attributed to any of the known APT (Advanced Persistent Threat) groups confidently, so the researchers believe that it was carried out by a new actor on the cybercrime scene. The attackers managed to compromise numerous computers belonging to multiple government, non-profit, and information technology organizations. Ukrainian representatives have stated that they believe Russia to be behind the attack. This may appear as a likely conclusion having in mind the geopolitical situation in the region.
Stage 1 of the WhisperGate Operation
The WhisperGate malware is dropped on the compromised systems in one of the C:\PerfLogs, C:\ProgramData, C:\, and C:\temp directories as a file named 'stage1.exe.' To throw the attention off of its true purpose, WhisperGate adopts several characteristics typically observed in ransomware threats. It delivers a ransom note claiming that the attackers want to be paid $10,000 in Bitcoin. The money is supposed to be transferred to the provided crypto-wallet address. The note mentions that victims may contact the hackers via the provided Tox ID for Tox, an encrypted messaging protocol. However, when the infected machine is shut down, WhisperGate overwrites its MBR record, which is the part of the hard drive that enables the proper loading of the operating system.
By destroying the MBR, WhisperGate bricks the system effectively and makes any attempts to restore the data on it doomed to fail, even by the attackers themselves. This goes against the goal of any ransomware operation as the cybercriminals will not get paid if they cannot assure the victims that the affected files can be returned to their previous state safely. There are other signs that the ransomware part is only used as a cover-up of the true intentions of the attackers.
WhisperGate's Stage 2
In the second stage of the attack, a new dedicated file corrupted malware is deployed on the breached device. A file named 'stage2.exe' acts as a downloader that fetches the file corrupter from a Discord channel. The download link is hardcoded into the downloader itself. Once the payload is executed, it scans specific directories on the system for files matching a list of over 180 different extensions. The contents of all targeted files will be overwritten with a fixed number of 0xCC bytes. The total files size set for the action is 1MB. After scrambling the files, the corrupter will change their original names by adding a random four-byte extension.
The text of the supposed ransom note is:
'Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.'