back to article Ukraine blames Belarus for PC-wiping 'ransomware' that has no recovery method and nukes target boxen

After last week's website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there's no recovery method. Officials have pointed the finger at Belarus. Church Of Saints Simon And Helen or Red Church And Fountain At Independence Square In Minsk, …

  1. KarMann Silver badge

    What's in a name?

    Deployed by a group named by Microsoft as DEV-0586….
    Surely they should have changed their numbering/naming scheme again to call this one DEV-Pentium instead?

    1. David Shaw

      name: semaphore!

      there are so many FLAGS waving around, that it looks like an international Semaphore contest








      and where's the El'Reg article on 5G FUBAR US?

      (OK, found the 14th Jan one )

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: MBR?!

      In short, this "malware" as described is capable of nothing more than short-term denial of service.

      From the article "The wiper's second stage, stage2.exe, then rampages through the rest of your system, overwriting everything from Word files to web pages (.HTML and .PHP files), images and databases."

      1. J. Cook Silver badge

        Re: MBR?!

        Yeah. the MBR scrambling is just the cherry on the top of the poop-cake.

        At least it's not an auto-spreader, and any company with a decent backup strategy in place won't feel too much pain, and be able to recover reasonably quickly.

        1. CrazyOldCatMan Silver badge

          Re: MBR?!

          Yeah. the MBR scrambling is just the cherry on the top of the poop-cake.

          It would be worse if the malware can implant something nasty in the UEFI boot partition - somewhere where all the malware checkers can't find it and where it can survive OS reinstalls..

  3. Pascal Monett Silver badge

    "no recovery method and nukes target boxen"

    Or, in other words, a chance to practice your backup recovery procedures.

    Because you have those, right ?

    1. LoopDoGG79

      Re: "no recovery method and nukes target boxen"

      Why not do this for ransomware attacks as well?

      1. Anonymous Coward
        Anonymous Coward

        Re: "no recovery method and nukes target boxen"

        Sometimes, ransomware waits before making its demands, so there's either no recent unencrypted backup, or no recent uninfected backup.

    2. Anonymous Coward
      Anonymous Coward

      Re: "no recovery method and nukes target boxen"

      I have backup, I have backup recovery, I have backup recovery procedures, but, but to practice my backup recovery procedures goes REALLY too far...

      1. Eclectic Man Silver badge

        Re: "no recovery method and nukes target boxen"

        Let me guess, you 'back-up' your 5.5" floppy disks by taking a photocopy of both sides?

  4. mark l 2 Silver badge

    I wonder if some script kiddies have taken the 'off the shelf' ransomware from some hacking forum or dark web and just tweaked it so it would over write file rather than encrypted them. In the hope they will still get some less technically aware people to still pay up even though their files are never going to come back.

    I mean what are you going to do with any of these malware peddling scum, leave them a bad review if they don't decrypt your files after you paid?

    1. Robert 22

      It would seem that the intent has changed. Ransomware has the primary aim of extracting money from the victims. Also, any exfiltrated data might be marketable. This malware is clearly intended to do damage. Furthermore, by masquerading as ransomware, victims will waste time and effort, and possibly money, trying to get their data back.

    2. Anonymous Coward
      Anonymous Coward

      How's the weather in Moscow tonight?

      The US, after detailed analysis, has stated that the Russian state is responsible for this attack on Ukraine.

      You are welcome to "wonder" as you please, but we don't need the musings of a random internet person with, clearly, inability to read beyond what their imagination surmises.

  5. cantankerous swineherd

    betting the farm on the internet considered harmful.

  6. Clausewitz 4.0

    Marble Framework

    Nowadays, even the PE Rich Header lies to you.

    So the encryption methods used, PDB Path, System Language.

  7. martinusher Silver badge

    Professional Basketcases?

    Ukraine is in the news a lot these days, usually because its the subject of some attack of threat or because its complaining about lost pipeline revenue. Its actually a huge, rich country -- it should be one of the most prosperous in Europe, but instead of prospering its main industry seems to be blaming others for its misfortune.

    Maybe if its leadership was less interested in creaming off gas pipeline revenue and its rank-and-file less interested in reliving their glory days as a Axis puppets ("sort of") then it might be able to get itself organized. These cyber attacks are kiddie script stuff, they should be just a nuisance that would be easily fended off by an adequate IT department. Instead, we have to see it as some manifestation of Putin's evil intent. (I must confess if I were I Russian hacker locked in my basement during a long, cold, Russian winter I'd be tempted to have a go myself.)

    Let's face it, the only reason for being interested in NATO is that it brings with it a lot of money. They play geopolitical stooge and the dollars roll in. Same with getting into the EU (more of a long shot) -- inbound investment plus free movement for your surplus/disaffected population, what's not to like?

    (FWIW -- No, I'm not a Russian stooge. I'm an American taxpayer.)

    1. Synkronicity

      Re: Professional Basketcases?

      There are a lot of Russian stooges who happen to be American taxpayers. There was also one who wasn't a taxpayer but still ran the country.

      1. Jellied Eel Silver badge

        Re: Professional Basketcases?

        Hey, at least the US and Ukraine have something in common. Both elected comedians, both are charging ex-Presidents with insurrection & high treason. Both are cracking down on the media and anyone that doesn't toe the party line.

        Then there are other curious things. Trump accused of being a Russian stooge, and partying with hookers, but other than the Steele allegations, no evidence. There was/is evidence of Hunter Biden partying with Russian hookers & drug dealers though. Or just the Biden's dealings with Ukraine, or why Democrat's servers ended up in Ukraine.

        But such is politics. Ukraine has a lot of good IT types, and software development skills, so games development as an example. Sadly it also has a lot of corruption & oligarchs looking for the next way to loot the country.

      2. martinusher Silver badge

        Re: Professional Basketcases?

        We've had attempts to fund infrastructure renewal blocked recently on the grounds we can't afford it, it adds to much to the deficit etc. The amount was about $1Trillion, which is a lot, but was intended to be spent over 10 years.

        While all this bickering went on the annual Department of Defense appropriation bill went through without any debate. This year its just $768 billion.That's just for a year, on in BBB terms, about $10 Trillion over 10 years. This is the visible budget; there's also a significant 'black' component and wars like Afghanistan are funded separately.

        I'm tired of continually funding the military/industrial complex (Eisenhower's term) and corrupt, incompetent foreign governments while our own people are hurting. The videologger "Bald and Bankrupt" likes to tour the more obscure parts of the old USSR looking at crumbling infrastructure and poor people but I don't need to go to those extremes, I just need to leave my wealthy enclave and look around me, a lot of it's visible from the Interstate.

        (The UK is no stranger to this sort of thing. Stringent budget economy is, and always has been, the order of the day except when there's a need to fund new weapons systems.)

    2. Chris G Silver badge

      Re: Professional Basketcases?

      One of the reasons Ukraine is losing money on it's transit pipeline is the lack of maintainance and proper repairs to damage done by gas robbers.

      The same problems exist for a lot of other infrastructure in the country because they prefer to bank amy money they make offshore instead of re-investing.

      Then the government bleats that another pipeline is going to take transit fees away from them, when the real reason is that although the Ukrainne route is needed, it is in need of maintainance that is not being done.

      My wife is Russian and like many Russians has Ukrainian relatives and friends who we hear from regularly.

      1. W.S.Gosset Silver badge

        Re: Professional Basketcases?

        > Ukraine is losing money on it's transit pipeline

        I think you might be thinking of the _future_ loss of revenue after Nord Stream 2 comes on line and the expiry of the current fixed minimum transit of Gazprom's Russian gas in 2024. About $3bn IIRC. For now, I believe it remains very profitable.

        Merkel was _warned_, extensively, that Nord Stream 2 was designed as an attack on Ukraine, part of Putin's medium-term revanchist goals. She applied her usual intellect and insight to the decision.

        1. Chris G Silver badge

          Re: Professional Basketcases?

          Flow through the Ukraine was reduced last year, largely due to a combination of demand from Europe and the disintegrating infrastructure of the line within Ukraine. A number of fires have occurred some due to attempts to steal gas (not easy to do) repairs have been patchy and so has maintenance.

          Nord stream 2 was intended to improve gas supplies to Northern and Western Europe while the Ukrainian route was more for Eastern and Southern Europe, Russia wants and needs both but with the current animosity from Ukraine with US backing it is not easy for Gazprom to rely on the southern route, hence the controversy on the north.

          The US is against anything that competes with their control of oil and gas so backs Zelensky in the hopes of destroying NS2 and selling unecological expensive fracked gas to Europe

          1. Morten Bjoernsvik

            Re: Professional Basketcases?

            NS2 will be ready next year, then Putin can circumvent Ukraina, and pick pocket his friends for cheap gas.

            But Europe have themselves to blame, especially Germany decommissioning and neglecting nuclear power-plants. Now full of solar and windmills, but what do they do then there is no sun or no winds (like most of the autumn and winter), they have to buy expensive power from elsewhere. In Norway we usually have a a 15% (10TWh) surplus of ACER-friendly generated electric power from waterfalls. And we have -10C and belov lots of the winter.

            This winter the high prices in Europe tempted the incompetent leadership of StatsKraft to sell all they had emptying the water-magazines and viola, we have to set the power price higher than all of Europe to prevent export. resulting in a on average 600% increase this winter.

            The fallout are unemployment and shitload of bad publicity for the ruling parties. they show a 40% decrease in the polls.

            We have two new cables to UK and Germany with 600GWh capacity each, 10 fold the old cable capacity, On top of it we also have the Nettleie, a charge on top because of impedance in the cables, because of all this export we need to pay based on our max utilization day of the month to promote freezing and cold dinners (This was luckily avoided and turned down in the last hour).

            We get some refunds via the goverment a 20%, but my powerbill for december was still NOK5000, it uses to be NOK1500. This refund does not yet cover small businesses and flat complex.

            Now they talk of electrifying a 4TWh Ammonium plant and all the 50+ oil platforms in the North Sea around 10TWh, Statskraft earned around 64Bill NOK (£6.4Bill) into the government koffers last year and the government is giving back around 6Bill NOK in support.

            Norway the battery of Europe, while its population is freezing.

          2. W.S.Gosset Silver badge

            Re: Professional Basketcases?

            Ah ha: I spy with my little eye, a skewed&spun information supply.

            Aside: > The US

            I'm afraid if you're looking to pin a name on the LNG global powerhouse capable of manipulating the world's gas markets for nefarious selfish triumphalism, then the fiendishly powerful mystery figure with the white cat, wicked scar, and ominous swivel chair is ... >dum dum DUM< ... Australia. Not the US. We control nearly a quarter of the world's (nonpipeline) gas exports, you see; the US is a little weedy player trying to sell in behind us. Mwoohahahahaaaaaa.

            But LNG is only a quarter of EU's piped supply since it's relatively expensive (compress-ship-decompress = $$) plus also seriously constrained re specialist import terminals/hardware. So both of us are a bit of a non-event for the EU.

            Also, everyone outside the media pretty much just ignored the US re NS2, apart from when Russia invaded Ukraine and EU & US teamed up on sanctions.

            By the bye: > unecological...fracked

            Ecological, actually. What they're injecting (beside water and detergent) is something you will pay quite a bit for in your local super-organic ultranatural vegan health food store. The extract thereof you probably eat a fair bit of, most days, in things like biscuits, sausage rolls, lollies, sauces, etc. But of course, they're fracking so far below the water table that the point's moot anyway.

            > disintegrating infrastructure of the line within Ukraine. ... repairs have been patchy and so has maintenance

            Yup, this is true, but "disintegrating" is OTT. Yes re excessive "friction". Erodes Ukraine's profit; can occasionally create supply degradation & hassles. EU reckons $2.5bn to refurb it to as-new condition, possibly up to $12bn. Needs to be done, at some stage.

            > Flow through the Ukraine was reduced last year, largely due to...

            ...almost entirely due to the Gazprom-mandated reduction in Gazprom's contract, which dropped (in bcm/yr) from 60 to 40 and will remain on 40 until 2024.

            There were substantial additional short-term/flex sales/supplies in the past, but Gazprom switched to playing NoNoNoYouCan't and refusing all supplies except via long-term contracts: the Kremlin has been quite clear about that (translated). Marginal supply doesn't work that way so this only allows participation by long-term fixed users whose contracts happen to be ending, so this apparently-innocuous demand actually stamped on marginal/variable gas supply for, eg, EU electricity generation.

            > Nord stream 2 was intended to improve gas supplies to Northern and Western Europe while the Ukrainian route was more for Eastern and Southern Europe


            A/ Russia is circumventing Ukraine _both_ North and South: Nord Stream 2 and Turkstream.

            B/ Importantly: Ukraine dumps straight into the existing primary European & Turkish gas hubs. NS2 requires either many $bn spent on new pipelines from the German coast to the Austrian hub, or the construction of a new German hub. The latter will suck money out of Austria into Germany and is A Good Thing for Germany but A Bad Thing for Austria: a Net Zero for EU. NS2's total economic impact is predicted to be lower gas prices for the rich and higher gas prices for the poor: France & Germany benefit from the shorter path to them hence lower fees; Czechia, Slovakia etc vice versa. Nord Stream 2 is great if you fervently believe in the richgetricher-poorgetpoorer principle.

            Regarding its extra capacity -- the existing _unused_ capacity of Ukraine's Russia transit pipeline is about _double_ NS2's max, so capacity is bit of a nonstarter, rationale-wise. They could far more easily and cheaply simply direct 2 NS2s down the existing Ukraine transit pipes rather than build a diversion. Also, if Russia uses this to cut off Ukraine supply (as everyone expects; Slovakia likely to need to reverse-flow again for the Ukraine like in 2014) then the EU's piped supply drops from 4 routes to 3: serious additional risk in terms of energy-security.

            Just on energy security, Russia has serious form re using gas as a weapon. Eg, see pp15-16 in this EU doct for over 20 "Select examples of Russia’s use of energy coercion" : "Energy as a tool of foreign policy of authoritarian states".

            I agree with your general thrust that Ukraine is something of a corrupt shambles and that the pipelines need proper maintenance+repair, but your other information seems contradicted by the industry, the market, etc.

            1. martinusher Silver badge

              Re: Professional Basketcases?

              Thanks for the informative post. I do suggest, though, that the issue of Russian gas supply is a consequence of the free market. The Russians can, and will, supply gas on mutually agreed terms. They are, though, under absolutely no obligation to supply gas outside those terms. They are under no obligation to supply anything at all, its just that its usually mutually beneficial for countries to trade.

              Our trade and sanctions policies are designed to hurt and/or weaken Russia. We assume that these policies cause unrest and so force change in our favor. In practical terms this type of policy has failed, Russia not only has ample internal resources but it als has a huge, reliable, trading partner to her East. Our politican's vanity projects we're directly and negatively impacting the lives of the people that these politicians are supposed to be enhancing. It doesn't make sense to me.

    3. Anonymous Coward
      Anonymous Coward

      Re: Professional Basketcases?

      you have no f... clue what happened in this neck of the woods during WW2, post-WW2, and what is happening now and why. That said, you're forgiven to some extent, I mean, who's got time to read past a few paragraphs in wikipedia, etc.

  8. Death Boffin

    Belarus as the attacker? A distinction without a difference.

    1. Anonymous Coward
      Anonymous Coward

      Belarus is a very poor country with almost no experts in IT, never mind experts in networks and hacking.

      The attack was orchestrated and performed by Russia.

  9. ZekeStone

    There is always a recovery method if you have a good backup strategy

    If you have a good backup strategy that includs online and offline backups, there is always a recovery method.

    Also I suspect much of the problems can be avoided if proper security measures are taken... such as not allowing users to log in with accounts that have admin rights.

    1. Anonymous Coward
      Anonymous Coward

      Re: There is always a recovery method if you have a good backup strategy

      Unfortunately cryptolocker infections don't require anything close to admin rights, nor is it required to make Windows wholly unbootable :-(

      1. Not Yb

        Re: There is always a recovery method if you have a good backup strategy

        You don't even have to have a virus infection to make Windows unbootable, though they have gotten somewhat better at system updates these days.

  10. Anonymous Coward
    Anonymous Coward

    Missing detail, but easy to guess

    So far the wiper is said to have infected "dozens" of systems.

    Let me guess, that would be Windows systems, yes?

    Plus ça change.

  11. HenryCrun

    Time for a non-Windows operating system? Not 100% ideal I know, but it may be better than nothing.

    Never had these problems with ICL mainframes :-) ;-)

  12. Anonymous Coward
    Anonymous Coward

    A combination of useful idiots and Russian troll farms are present on forums and comment sections of newspapers and media.

    You will note that many of the above comments purposefully disregard existing evidence of fact that Russia orchestrated and performed this cyber attack on multiple Ukrainian resources. Don't give in to misinformation: Russia is the source of most recent notable cyber attacks. Their pathetic troll farms in and outside Moscow aren't great quality, which is why repeated investigations leads back to Russia as the source of these comments.

    If Putin and friends concentrated as much effort on making the USSR, sorry Russia, a better place to live then perhaps they wouldn't need to blame others for just how bad a place Russia is to live in these days. Nobody from a developed economy emigrates to Russia unless they are an idiot. George Blake did and regretted it greatly, as he swallowed the lie.

    1. Anonymous Coward
      Anonymous Coward

      Reputable investigative journalism agencies have repeatedly cited Russia as the origins of various misinformation campaigns.

      There is blood on the hands of those creating and propagating the misinformation war. I bear no grudge against the Russian "people" as a whole, only their dictatorship. Before someone yells Russia is a democracy, it is no more a Democracy than the DPRK. Ample evidence by the oppression of opposition political parties & groups.

      Crimea is easily a parallel to the Annexation of Austria. Eastern Ukraine, highly parallel to the Annexation of the Sudetenland.

      What next; Ukraine parallel to Czechoslovakia as a whole? Puppet regimes in Belarus and Kazahstan getting militant too, blatantly flying against the interests of the population ending in bloody repression?

      The failings of the appeasers in the 1930's are plain to see and the west should remember those hard fought and bloody lessons. The line has to be drawn, it already exists on political maps drawn up at the breakup of the Soviet Union, and should be maintained.

      The barking dog needs to be given a good boot to bring it into order. Not fed another steak to mollify it for 30 seconds. And yes, if that means going into direct conflict, so be it. The alternative is inviting a greater catastrophe at the whim of a dictator.

      So yeah, basically fuck Putin and his cronies.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022