Ukraine malware attack focused on destruction of data, not ransomware, says Microsoft

Over the weekend, the Microsoft Security blog shared information on a new destructive malware operation that has been targeting multiple government, non-profit, and information technology organizations in Ukraine, as tensions between that country and Russia continue to escalate.

The malware is presented as though it were a ransomware attack, offering a ransom note, a single Bitcoin wallet for payment, and a single Tox ID. However once an infected machine is powered down, instead of encrypting the Master Boot Record (MBR) for later recovery after a ransom is paid, as is typical, the malware instead simply destroys the MBR. The malware also targets a number of file types, overwriting files within a list of extensions.

Microsoft explains that these activities are unlike any “normal” ransomware attack, which are used to demand payments, and instead is intent on destructive activity.

Microsoft is and has been working with customers in Ukraine to assess their systems, and provides methods to identify systems that are compromised and help protect their data.

Microsoft has been pushing for more secure computer systems, releasing Windows 11 with a new set of security requirements as it continues to respond to ever increasing threats from ever more sophisticated attacks.