More than a dozen Ukrainian government websites went down on Friday, in a cyber-attack that also targeted embassies.

The foreign and education ministries were among those hit, along with embassies in the UK, US and Sweden. Before the sites went down a message appeared warning Ukrainians to "prepare for the worst".


Level 55
Top poster
Content Creator
Apr 24, 2016
Destructive malware targeting Ukrainian organizations
Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.
Observed actor activity
Stage 1: Overwrite Master Boot Record to display a faked ransom note
Stage 2: File corrupter malware
Recommended customer actions
The techniques used by the actor and described in the this post can be mitigated by adopting the security considerations provided below:
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.