Attention: We will be transitioning to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access.
This threat is designed to look like ransomware but lacksransom recovery mechanism. It is designed to render targeted devices inoperable rather than to obtain a ransom. It belongs to a destructive malware operation targeting multiple Ukranian organizations.
If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan and do the following:
Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticatorto secure accounts.
Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.
Contact your incident response team, or contact Microsoft support for investigation and remediation services
When this threat gets in the victim's network, it overwrites the Master Boot Record (MBR) to display a faked ransom note. The MBR is the part of a hard drive that tells the computer how to load its operating system.The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol).
Indicators of compromise (IOCs)
The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
Apply these mitigations to reduce the impact of this threat.
Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
Use a supported platform, such as Windows 10, to take advantage of regular security updates.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
Use the included indicators of compromise listed in the Technical information section of this threat description to investigate whether they exist in your environment and assess for potential intrusion.
Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticatorto secure accounts.
Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.
Contact your incident response team, or contact Microsoft support for investigation and remediation services
Microsoft Defender Antivirus detects this threat on your device. If this threat is detected on your environment, we recommend that you immediately investigate it.
