Ukrainian malware attacks: fake ransomware explained

This is not common behaviour for criminal ransomware:

On January 13th, the Microsoft Threat Intelligence Centre (MSTIC) identified multiple cases of malware targeting organisations within Ukraine.

The Ukraine government has indicated that they have ‘evidence’ that the cyberattack was carried out by Russian nation-state actors. Nation-state attacks are malicious cyberattacks that originate from a particular country and they attempt to further that country’s interests.

Russia has since stated that it has nothing to do with the attack. Regardless of who initiated the attack, it is seeming that it could prove more destructive and affect more businesses than initially expected.

In this article, we will discuss how the cyberattack affects systems, the indicators of compromise, how it could have been avoided, and how we can help you from avoiding a similar attack on your business.

malware Ukrainian malware attacks: fake ransomware explained


What makes this attack particularly interesting, is that the malware was disguised as ransomware.

In this first stage of the attack, once the malware enters a system, it overwrites the Master Boot Record with a ransom note requesting the user to pay $10,000 of Bitcoin to a specified cryptocurrency wallet, then sends a message to a Tox ID in order to recover the data from the corrupted hard drive.

However, this ransom note is a ruse, and additional malware is executed when the device is powered off. The true malware destroys the Master Boot Record and its contents. This is not common behaviour for criminal ransomware as:

1) Nearly all ransomware encrypts the contents of files and the system. This malware overwrites the Master Boot Record, making it impossible to recover the data.

2) Ransomware payloads are typically customised for each victim.

3) It is not common for a ransomware attack to make use of a Tox ID for communication.


In the second stage of the attack, Stage2.exe downloads the additional malware hosted on a Discord channel. Once the malware is executed, it will locate all files with a certain file extension and corrupt them. Some of the files that would be corrupted include ZIP files, config files, Excel Documents, Word Documents, images and website documents. This process is typically irreversible unless the business has a comprehensive backup solution.

It is assumed that this attack was carried out by a Russian nation-state actor as part of the countries ongoing intimidation campaign against Ukraine. Initially, the organisations affected by this malware attack were government and public sector digital infrastructure, including websites. The malware also spread to other nonprofit and information technology companies. As the attack was not a true ransomware attack, it is believed that it was designed to cause unrest within the country. This attack also coincided with Russia mobilising 100,000 troops on the border of Ukraine.


Thankfully, Microsoft has created and implemented detections for this malware family via Microsoft Defender Antivirus and Microsoft Defender for Endpoint for both on-premises and cloud environments. If your business has either of these solutions, it will be protected from this attack.

Attacks from nation-state actors are often highly sophisticated and difficult to detect. However, in general, businesses should follow the below steps to avoid falling victim to an attack:

  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
  • Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Implement a comprehensive email security solution to reduce the chance of a phishing attack.
  • Keep all systems, operating systems and applications up to date with security patches.
  • Implement a disaster recovery plan and make use of a backup solution, Therefore, if your business does fall victim to an attack, there is no significant downtime or loss of data.

This attack is another example of how the cybersecurity threat landscape is constantly evolving with hackers disguising attacks and launching destructive multi-stage attacks on a wide variety of businesses. This also further proves, no business is safe from being the target of such an attack, regardless of industry, geolocation or size.


For businesses without in-house cybersecurity expertise, it can be difficult to stay up to date with modern attacks and prevention methods. For this reason, it is often beneficial to outsource your cybersecurity requirements to a trusted third party.

Find out more about how we can protect your business from attacks similar to those organisations in Ukraine by getting in touch with us today,