A new data wiper malware has been observed in the last weeks and affecting Ukraine machines on a large scale.
A large volume of cyberattacks against Ukrainian cyberspace has been registered in recent weeks, along with the Russian/Ukrainian military tension escalation. In addition to attacks on government websites, defacements etc., fully destructive malware (data wiper) has been disseminated by criminals. The malware dubbed WhisperGate is a clear sign that criminals have no financial gain after the thread is executed on the target. At first glance, the group is motivated only to interrupt the Ukrainian operations, creating as much damage as possible to the target.
In summary, the data wiper malware is based on four principal phases, namely:
Overwrite Master Boot Record (MBR) and exhibit a fake ransom note after system reboot. Download stage 3 from a Discord server Stop and disable Windows Defender Encrypt/damage files, ping an address and remove the malware itself from the machine How WhisperGate works
The malware first stage is responsible for overwriting the machine MBR. With this approach in place, the machine is unbootable, thus making the recovery process impossible. After corrupting the MBR, the PC is rebooted, and the overwritten code is executed.