A Ransomware That Doesn’t Extort Money WinDestroyer & Its Origin

EXECUTIVE SUMMARY

The CYFIRMA research team has identified a destructive malware; WinDestroyer. The ransomware lacks ransom demands, pointing to non-financial motivation. This sophisticated threat employs advanced techniques, such as DLL reload attacks, API hammering, and lateral movement capabilities, rendering systems unusable. The geopolitical motivation is evident through the associated YouTube channel featuring praise for the Russian president. By investigating Russian leaked databases, we were able to reveal the real identity of the threat actor behind the malware. This report talks about WinDestroyer’s capabilities, the hacktivist angle, and the identified threat actor, providing valuable insights for attribution and proactive cybersecurity measures.

INTRODUCTION

During the inspection of submissions to public sandboxes, the CYFIRMA research team came across a new malware named “WINDESTROYER.exe” that encrypts files and renders the targeted system unusable.

KEY FINDINGS

• The malware is destructive and infects all executables, including encryption of EXEs – rendering victim systems unusable.
• Launches DLL reload attacks and API hammering.
• Contains functionalities of a bootkit and can persist via registry
• Lateral movement capabilities – looks for network shares and infects all files.
• Lack of ransom note, and ransom demand implies that the malware developer is not financially motivated.
• The malware developer is from Saint Petersburg, Russia and has likely created the malware to be used for hacktivism.

Behaviour

Functionality to make API calls
Enables the attacker to interact with the operating system, facilitating the execution of malicious commands and manipulation of system functions.

Infects the Volume Boot Record (VBR) of the hard disk
Alters the boot sector, giving the attacker persistence and control over the system during startup, allowing for stealthy and persistent malware execution.

Process Injection
Permits the attacker to inject malicious code into legitimate processes, evading detection and executing unauthorized actions within the context of trusted applications.

Registry changes
Facilitates the modification of critical system registry settings, enabling the attacker to achieve persistence and manipulate system configurations.

Functionality to open port and listen to incoming connections
Creates a backdoor for the attacker, allowing unauthorized access to the system and potentially facilitating the exfiltration of sensitive data.

Creation of a DirectInput object for checking user activity
Provides the attacker with the ability to monitor and analyze user input, potentially capturing sensitive information such as passwords or keystrokes. The malware also takes a screenshot of the victim system using BitBlt API. The BitBlt function, which stands for “Bit Block Transfer,” is a Windows API function used for copying a rectangular block of pixels from one device context to another. It is often employed in graphics programming and is part of the Windows GDI (Graphics Device Interface) subsystem.

Functionality to enumerate network shares
Looks for low hanging fruits within the network by identifying and accessing shared resources, allowing unauthorized access to sensitive data on connected systems.

Functionality to list files within a directory
Facilitates reconnaissance by allowing the attacker to gather information on file structures, aiding in the encryption process.

Functionality to prevent local debugging
Impedes the debugging process, making it more challenging for security professionals to analyze and detect malicious activities during the investigation.

Infects Executable Files
Compromises the integrity of executable files, allowing the attacker to implant malicious code, leading to the execution of unauthorized commands or actions.

Encrypts documents and EXEs

EXTERNAL THREAT LANDSCAPE MANAGEMENT

Since the threat actor is not looking to make money with this encryptor, the other most common motivator is geopolitics. The malware is designed to render the victim systems non-functional once it’s executed, which is something hacktivists are likely going to enjoy taking credit for.

Upon investigating further, we came across a YouTube Channel with the name The WinDestroyer.

Email: theWinDestroyer@gmail[.]com

Note how the YouTube account profile picture has the Windows logo followed by the word “Destroyer”. The only post on the channel is a video glorifying Russian president Vladimir Putin.

This information was a valuable pointer for attribution. Including other evidence, we can ascertain with high confidence that the malware developer is from Russia and has likely created WinDestroyer to be used for hacktivism.

The sample was uploaded to one of the public sandboxes from the UK and Ukraine, which is in line with our victimology assessment that the Russian threat actor is actively spreading it in the wild to targets in countries that are “not friendly” to Russia.

Further to this, we started looking into people from Russian origin who might have used this username (since the developer is clearly obsessed with it). Not to our surprise, we found multiple hits for “WinDestroyer” within leaked Russian databases. This led us to find the real name, city of residence, previously used IP address and suspected social media handles of the geopolitically motivated malware developer.

CONCLUSION

WinDestroyer’s intent aligns with hacktivist intent, emphasizing disruption over financial gain. Amidst the ongoing Russia-Ukraine conflict, the malware could be employed strategically as a digital weapon. Being a noisy malware, any harm from this malware can be prevented by implementing basic endpoint detection and response controls. However, this will still pose a risk to some of the SMBs who lack those controls. By disrupting critical systems, disabling communication channels, and compromising sensitive data, the malware could significantly impact the targeted infrastructure. CTI practitioners must prioritize international collaboration and intelligence sharing to gain a deeper understanding of such emerging threats.

RECOMMENDATIONS

Strategic Recommendations:

• Enhance Endpoint Protection: Deploy and regularly update advanced endpoint protection solutions with heuristic analysis to detect and prevent WinDestroyer infections, minimizing the risk of system compromise.
• Geopolitical Threat Modeling: Incorporate geopolitical threat modeling into the organization’s risk management strategy, considering potential cyber threats associated with the Russia-Ukraine conflict and tailoring security measures accordingly.
• Incident Response Simulation: Conduct simulated incident response exercises to ensure readiness for a potential WinDestroyer attack. Test communication channels, incident coordination, and recovery processes to minimize downtime.

Management Recommendations:

• Cybersecurity Governance Review: Conduct a comprehensive review of cybersecurity governance structures, ensuring alignment with emerging threats like WinDestroyer. This includes refining incident response plans, threat intelligence integration, and cross-functional collaboration.
• Invest in Threat Intelligence Platforms: Enhance capabilities by investing in advanced threat intelligence platforms to monitor emerging threats, track geopolitical indicators, and receive updates on potential attacks linked to the ongoing Russia-Ukraine conflict.
• Cross-Industry Collaboration: Foster collaboration with government agencies, industry peers, and international cybersecurity organizations to share threat intelligence, best practices, and coordinate responses to mitigate the impact of geopolitically motivated cyber threats.

Tactical Recommendations:

• Implement Network Segmentation: Enforce strict network segmentation to contain the lateral movement capabilities of WinDestroyer, limiting the potential impact on critical systems and sensitive data.
• Regular Backups and Offline Storage: Regularly back up critical data and ensure offline storage to prevent encryption by WinDestroyer. Establish a robust backup and recovery strategy to minimize data loss and downtime.
• User Education and Awareness: Conduct ongoing cybersecurity awareness training to educate users about phishing threats, suspicious emails, and the importance of reporting any unusual system behavior promptly.
• Continuous Monitoring: Implement continuous monitoring tools to detect anomalous activities associated with WinDestroyer. Leverage behavior analysis and anomaly detection to identify potential threats in real-time.

MITRE MAPPING

IOC(s)