On January 15, 2022, it was reported that a malware package called WhisperGate was deployed against Ukrainian targets. The incident is widely reported to contain three individual components implemented by the same adversary, including a malicious bootloader that corrupts detected local drives, a Discord-based downloader, and a file cleaner.
WhisperGate is a ransomware-type program. Typically, malicious software within this classification locks the screen of the performed device (screen locker) and/or encrypts files, demanding ransoms for access recovery/decryption. However….. WhisperGate does not have a data decryption or recovery mechanism, and has inconsistencies with malware frequently deployed in ransomware operations.
The displayed message suggests that victims can expect their data to be recovered, but… this is technically impossible. These inconsistencies most likely indicate that WhisperGate’s activity is aimed at destroying data on affected assets.
There is no doubt that WhisperGate was designed to cause as much destruction as possible. If the cybercriminals’ digital wallet remains available, the payments extracted from the victims are simply a bonus and not the real goal. This activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which displayed a component that masqueraded as the legitimate utility after a reboot and corrupted the host’s Master File Table (MFT), a critical component of Microsoft’s NTFS file system.
It is important and strongly recommended to keep backups in several separate rooms estorage devices, remote servers, etc, for avoid permanent data loss.
