Hundreds of computers in Ukraine have been infected with data-erasing Windows malware, according to ESET researchers.
In one series of tweets on Wednesday, the infosec biz said it had recovered its first sample of the nasty software around 1500 UTC, and believes the code has been in the works for two months.
“ESET telemetry shows it has been installed on hundreds of machines nationwide,” the company said.
We are told that the data eraser is cryptographically signed with a certificate from a legitimate developer, and presumably obtained fraudulently, to persuade antivirus tools and users to trust it. The malware uses drivers from a partitioning program to corrupt storage devices and destroy files on infected systems, according to ESET.
It’s not entirely clear at this time how the malware is dropped onto victim machines and executed, although in one case, ESET said, an organization’s Active Directory server was likely compromised to distribute the wiper on the network through a GPO.
Symantec’s Threat Intelligence Wing also says he had spotted data destruction malware in Ukraine; the Broadcom-owned company added that it had also seen infections in Latvia and Lithuania.
ESET dubbed the nasty Win32/KillDisk.NCV. It is understood that the code not only erases files from the drive, but also the MBR, making booting and recovery difficult or impossible afterwards.
It comes as various Ukrainian websites have been disrupted to varying degrees by denial of service attacks, and the UK’s National Cybersecurity Center has warned of a new strain of Kremlin-related malware that is separate from the wiper ESET and Symantec discovered.
And the larger context of this is that Russia invaded an area of eastern Ukraine this week, apparently as part of a peacekeeping mission to protect two breakaway regions of Ukraine. The move triggered new US sanctions against Moscow.
Russia said it was sending peacekeeping forces to Ukraine.
And presumably, this Russian malware is part of its PC keeping forceshttps://t.co/4ovf39YTW9
— The Register (@TheRegister) February 23, 2022
Uncle Sam has warned U.S. companies and organizations to prepare for cyberattacks from Russia in retaliation for those sanctions and the White House’s opposition to Russian President Vladimir Putin’s intrusion into Ukraine.
It is feared that a full invasion will now follow, as Russia has amassed troops near the Ukrainian border. Ukrainian websites and systems have been targeted and disrupted by disbelievers in recent weeks amid rising tensions and a breakdown in diplomacy.
A spokesperson for the Ukrainian Consulate General in San Francisco was unavailable for immediate comment. The country’s entire Foreign Ministry web presence is offline due to a cyberattack, it seems, we note. ®