Ransomware - WhisperGate

WhisperGate
Aliases
PAYWIPE
WhisperKill
Decryptor Available
No
Description

WhisperGate, or WhisperKill, is a multi-stage pseudo-ransomware that is actually a file corrupter and wiper. This wiper is attributed to nation-state threat actors in Russia and Belarus named Ember Bear (DEV-0586) and Ghostwriter (UNC1151). The first stage overwrites the Master Boot Record (MBR) with an 8192-byte buffer and displays a ransom note within the MBR upon system reboot. The ransom note demands $10k in Bitcoin (BTC) and only provides a Tox Messenger ID for communication and extortion. Stage 2 is a downloader that downloads a payload on Discord's content delivery network (CDN) that is masquerading as a JPG. Once the JPG is downloaded, it is converted into a malicious file by reversing the bytes of the file. The final stage is the file corruptor itself, which acquires a list of files with certain file extensions to perform corruption. The encryption takes the first megabyte of applicable files and alters the bytes into 0xCC, also known as "INT3", which is simply a breakpoint opcode. Unbeknown to the victim, communication via the Tox Messenger ID is futile because there is no way to recover the corrupted files. However, since the stage 1 malware only overwrites the MBR, systems using GPT (GUID Partition Tables) can safely recover from the MBR overwrite. Although, the wiped files from the final stage are unrecoverable without a backup.

Ransom note pictures derived from Trellix

Ransomware Type
Wiper
Country of Origin
Belarus
First Seen
Last Seen
Threat Actors
Tipo
Actor
APT
Ghostwriter
APT
Ember Bear
Extortion Types
Pseudo-Extortion
Extortion Amounts
Amount
0.23BTC($10,000)
Communication
Médio
Identificador
Tox
Encryption
Type
Other
Files
Replaces first megabyte of files with 0xCC bytes
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv
File Extension
<file name>.[XXXX]
Ransom Note Image
Samples (SHA-256)
34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907
923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Known Victims
Industry Sector País Extortion Date Amount (USD)
GovernmentUkraine .23 BTC($10,000)
GovernmentUkraine .23 BTC($10,000)
Information TechnologyUkraine .23 BTC($10,000)