Data wipe and DDoS on Ukrainian sites
Many banks and government agencies in Ukraine have suffered in the last hours DDoS attacks that have cut off the service. This type of attack is based on sending many requests continuously so that the servers cannot respond and crash. It is a problem that can cause great economic losses to companies by causing them to spend hours without working.
But to this is added the discovery of ESET and Symantec, who have detected a new data wiping malware that has been used against Ukrainian organizations. The objective is clear: eliminate all kinds of data and information and thus generate chaos and damage. In the ESET Twitter profile we can see the information of this new malware in charge of deleting data.
breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
— ESET research (@ESETresearch) February 23, 2022
As indicated by ESET, this new data eraser is detected as Win32/KillDisk.NCV and has been implemented in hundreds of devices in Ukrainian networks today. Of course, the malware was compiled on December 28, so the attacks may have been planned for a long time.
For its part, Symantec has shared the hash of the new data erasure malware on its social networks. Currently, they say, only 16 of the 70 security engines on VirusTotal detect it.
From BleepingComputer they have carried out an analysis of this new malware and have detected that it contains four integrated drivers called DRV_X64, DRV_X86, DRV_XP_X64 and DRV_XP_X86. When running the malware, it installs one of those drivers as a new Windows service. It takes advantage of legitimate EaseUS Partition Master software.
This is not the first such attack.
Keep in mind that this is not the first such attack on Ukrainian websites. Last January, Microsoft warned of a threat that was disguised as ransomware and was used against different Ukrainian organizations. That data wipe malware was named WhisperGate.
The mission of that malware was corrupt the files and wipe device components. This makes it impossible to start Windows or to access those files. Something similar is what has happened with this new threat that is affecting numerous pages in Ukraine today.
Although the attacks have not been directly attributed to Russia, these threats have been used by hackers promoted by the Russian government. If we go further back in time, already in 2017 there was an attack against Ukrainian citizens with the NotPetya ransomware and in 2020 the United States formally accused a group of Russian cybercriminals of a similar attack.
We are seeing in the last few hours the increase in tension between Russia and Ukraine, with different bombings in the Ukrainian country. But current wars are not just missiles and it is something that we can see with the example of these DDoS attacks and erasure malware that seek to destabilize and generate greater problems.