WhisperGate Malware Goes After Ukraine Targets

WhisperGate is a new piece of malware, which is currently categorized as a disk wiper, which can also corrupt the Master Boot Record (MBR) of infected devices. These attacks are incredibly destructive since they achieve two things. First, they render the victim's files inaccessible. And, second, they also ensure that the user might be unable to boot their system because the Master Boot Record has been overwritten completely. In recent, years, many large organizations and institutions have fell victims to such attacks.

WhisperGate's Ransomware Disguise

One of the peculiar things about this ransomware is that it uses a custom message to overwrite the Master Boot Record. This means that when the system boots up again, it will show the message of the criminals. Surprisingly, it urges victims to pay a ransom fee of $10,000 via Bitcoin – assuring them that their files will be recovered after they pay. However, analysis shows that the WhisperGate does not really encrypt files – it simply overwrites and corrupts their contents. This means that the creators of the ransomware are unable to undo the damage their malware does.

The attack is usually carried out in two stages. First, the MBR is encrypted, and then the files are corrupted as well. The WhisperGate Malware targets popular file formats to maximize its damage – a common modus operandi for ransomware and wipers. Another interesting thing about the WhisperGate Malware is that it only starts its attack when the device powers down – this means that launching the malware will not cause any changes until the device shuts down.

So far, the WhisperGate has been used exclusively in attacks against Ukraine-based entities and organizations – such as major names in the energy sector. This is likely to mean that the attacker is a state-sponsored threat actors whose ultimate goal is to take down critical infrastructure in Ukraine.

January 18, 2022