WhisperGate (Ransomware) – Malware

Overview

WhisperGate ransomware, first identified in January 2022, represents a sophisticated and destructive form of cyberattack, specifically targeting Ukrainian entities amid rising geopolitical tensions. This malware was part of a larger coordinated effort involving multiple malicious components, including a bootloader, a Discord-based downloader, and a file wiper. The attacks were carried out in tandem with the defacement of Ukrainian government websites, highlighting the adversary’s intent to create widespread disruption, steal sensitive data, and compromise critical infrastructure. While initially appearing to resemble typical ransomware campaigns, WhisperGate diverged significantly in its technical execution and goals, focusing on total data destruction rather than financial extortion.

The malware is designed to overwrite the Master Boot Record (MBR) of infected systems, essentially preventing the operating system from loading properly and rendering the system inoperable. This malicious bootloader component was crafted to display a fake ransom note to deceive victims into believing they could recover their data. However, in stark contrast to traditional ransomware, WhisperGate does not include a decryption feature or any method for restoring damaged files, leading researchers to conclude that its primary objective was not monetary gain, but rather to incapacitate systems and erase critical data. The destructive nature of the attack was further exacerbated by the malware’s ability to target and corrupt multiple disk sectors across infected machines.

Targets

Public Administration

Information

How they operate

At the heart of WhisperGate’s operation is its malicious bootloader component. When the malware is first executed, it installs a bootloader that overwrites the Master Boot Record (MBR) of the infected machine. This bootloader, a 16-bit program, is crafted to display a ransom note upon boot, misleading the victim into believing that data recovery is possible. However, unlike traditional ransomware, WhisperGate does not feature a decryption mechanism. The malware’s primary function is to corrupt the system irreparably. The bootloader achieves this by overwriting specific sectors of the infected disk with a fixed pattern, which includes fake ransom notes and other non-recoverable data.

The data destruction process is relatively unsophisticated but highly effective. WhisperGate overwrites every 199th sector on the infected disk, starting from the first detected disk and proceeding through all accessible drives. The malicious bootloader performs this task repeatedly, using BIOS interrupt 13h in logical block addressing (LBA) mode to manipulate the disk. The overwritten data includes strings like “AAAAA” and other indicators, which are designed to confuse forensics and make the malware harder to detect. The consistent overwriting of critical disk sectors ensures that even if the system were to be rebooted, the damage would be irreversible, leaving the target machine inoperable.

The installation of WhisperGate’s components is particularly insidious. Upon execution, the malware does not force an immediate reboot of the infected machine. This is a departure from other destructive malware, such as NotPetya, which often triggers a reboot to initiate further damage. Instead, WhisperGate’s installation allows for a delayed reboot, which may be triggered either by the attacker or by other components of the attack. This delay gives the adversary the opportunity to launch other malware components, such as the file-wiper, which further contributes to the overall damage.

In summary, WhisperGate operates with a clear focus on rendering systems unusable. By using a 16-bit bootloader to overwrite critical disk sectors and prevent recovery, the malware ensures permanent data loss. The absence of a decryption feature and the deceptive ransom note further align WhisperGate with previous destructive attacks like NotPetya, though it remains less sophisticated in comparison. The technical analysis of WhisperGate highlights the increasing trend toward destructive malware, which does not seek ransom but aims to disrupt operations and destroy critical infrastructure. This evolution in cyberattack methodology underscores the growing complexity and potential damage posed by modern malware.

MITRE Tactics and Techniques

Initial Access (T1071: Application Layer Protocol):

WhisperGate uses a Discord-based downloader to initiate the attack, leveraging a commonly used application-layer protocol for command and control communications. This enables attackers to bypass some traditional network defenses.

Execution (T1105: Remote File Copy):

The malware executes its payload by copying files to the infected system. In this case, the bootloader component is installed and runs, which initiates destructive operations and alters the master boot record (MBR).

Persistence (T1071.001: Application Layer Protocol: Web Protocols):

The malware persists by modifying the system’s boot process. This ensures that the malicious bootloader will be executed each time the system restarts, giving the attacker continued control over the system.

Privilege Escalation (T1068: Exploitation for Privilege Escalation):

The malware may exploit weaknesses in the system to escalate its privileges and carry out destructive operations, such as overwriting disk sectors.

Defense Evasion (T1070.004: Indicator Removal on Host: File Deletion):

WhisperGate evades detection by overwriting disk sectors and the MBR with non-suspicious data, such as fake ransom notes, and possibly using other evasion techniques to hinder analysis by security tools.

Impact (T1485: Data Destruction):

WhisperGate’s primary goal is data destruction. It uses its bootloader to corrupt sectors on the disk and overwrite them with hardcoded data, rendering the system inoperable and causing irreparable data loss.

Impact (T1490: Inhibit System Recovery):

The bootloader’s alteration of the MBR prevents the system from rebooting correctly, effectively inhibiting any system recovery and ensuring that the attack results in permanent disruption.

References

• Technical Analysis of the WhisperGate Malicious Bootloader