Ukraine's Energy Ministry website is hacked by Bitcoin ransomware

Ukraine's Energy Ministry suffers from the ransomware attack

The popularity of ransomware viruses has been growing steadily – in 2017, 40% of all cyber attacks were initiated by crypto-viruses.^[1] Last year also revealed that government authorities are as vulnerable as simple home users. It seems that the latest victim – Ukraine's Ministry of Energy and Coal. According to findings, to hit the official ministry website and encrypt files, bad actors made the use of Drupal vulnerability dubbed Drupalgeddon2.^[2]

It seems like it was a targeted attack as no other high-profile organization or other government institution was affected. It is quite lucky that the attack did not affect the operation of the plant itself; the cyber-police spokeswoman Yulia Kvitko rushed to explain the situation:

This case is not large-scale. If necessary, we are ready to react and help. Our specialists are working right now… We do not know how long it will take to resolve the issue. Ukrenergo, Energoatom – everything is okay with their sites, it’s only our site that does not work.

She also added that the email system of the ministry is working normally without any disruptions.

Two hackers are believed to be responsible for the compromised website

Security researchers believe that the attack was carried out by two different cybercrooks. The person who is responsible for taking over the website is hacker naming himself/herself X-Zakaria. However, experts believe that there was a second bad actor who used the backdoor^[3] to go in, encrypt all files, and try to earn some money. The ransom note is written in English and demands 0.1 Bitcoin – $911 at the current exchange rate.

It is unclear whether both hackers are working together or separately; however, it is highly likely that they did not communicate a lot. There is also a possibility that this attack was generated only to test their skills and go for something much more significant because at the moment cybercrooks have only three transactions inside the provided Blockchain address^[4] equal to 0.015 BTC ($136).

Drupalgeddon2 has already been exploited by multiple criminals

Drupal CMD software is an open-source content management framework written in PHP. It has been widely used by governmental institutions and other high-profile companies. Just as any other piece of software, it is susceptible to CVEs.^[5]

Ukraine’s Ministry of Energy and Coal was using Drupal 7 which is currently known to be under the attack by cybercriminals. In fact, the Drupalgeddon2 exploit was patched just last month – in March.

Again, it shows how important it is to patch software (Drupal, WordPress, Joomla, etc.) that handles important company's tasks. These platforms might be targeted within days or hours after the vulnerability disclosure. Thus, organizations need to ensure that security procedures are executed promptly, instead of waiting for the ransomware attack to occur.

At the time of the writing, the official site http://www.mev.gov[.]ua/ seems to be back online, and it looks like cybersecurity experts managed to tackle the ransomware attack.

Ransomware attacks are not a new phenomenon in Ukraine

Ransomware attacks can be devastating as they cause a lot of disruption for the whole company. Furthermore, they can result in a complete loss of sensitive data. Ukraine's government seems to be one of the leading victims targeted by such cyber threats as Petya and NotPetya^[6] that caused complete havoc in country's infrastructure in 2016 and 2017.

For these ransomware outbreaks US and UK blamed Russia as both, Ukraine and Russia, were under a serious dispute. Nevertheless, it seems like the attack on Ukraine’s Ministry of Energy and Coal website was implemented by low profile hackers.