WhisperGate, or WhisperKill, is a multi-stage pseudo-ransomware that is actually a file corrupter and wiper. This wiper is attributed to nation-state threat actors in Russia and Belarus named Ember Bear (DEV-0586) and Ghostwriter (UNC1151). The first stage overwrites the Master Boot Record (MBR) with an 8192-byte buffer and displays a ransom note within the MBR upon system reboot. The ransom note demands $10k in Bitcoin (BTC) and only provides a Tox Messenger ID for communication and extortion. Stage 2 is a downloader that downloads a payload on Discord's content delivery network (CDN) that is masquerading as a JPG. Once the JPG is downloaded, it is converted into a malicious file by reversing the bytes of the file. The final stage is the file corruptor itself, which acquires a list of files with certain file extensions to perform corruption. The encryption takes the first megabyte of applicable files and alters the bytes into 0xCC, also known as "INT3", which is simply a breakpoint opcode. Unbeknown to the victim, communication via the Tox Messenger ID is futile because there is no way to recover the corrupted files. However, since the stage 1 malware only overwrites the MBR, systems using GPT (GUID Partition Tables) can safely recover from the MBR overwrite. Although, the wiped files from the final stage are unrecoverable without a backup.
Ransom note pictures derived from Trellix
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Government | Ukraine | .23 BTC($10,000) | |
| Government | Ukraine | .23 BTC($10,000) | |
| Information Technology | Ukraine | .23 BTC($10,000) |