Elastic Security has verified a new destructive malware targeting Ukraine: Operation Bleeding Bear.
Over the weekend, Microsoft released details about this multi-stage and destructive malware campaign that the Ukrainian National Cyber Security Coordination Center has been referring to as Operation Bleeding Bear.
Elastic users are fully protected from attacks like these through our advanced malware detection and Ransomware Protection capabilities, and the Elastic Security team continues to monitor these events. This case highlights the importance of prevention when it’s up against ransomware and malware with destructive capabilities.
In this full-length article, we break down the involved malware providing new insights and highlighting behaviors that can be used to help identify this activity.
Elastic Security researchers provide an overview of Operation Bleeding Bear, including how it wipes the Master Boot Record, uses tampering techniques such as disabling Windows Defender, leverages process hollowing, and corrupts files across the file system. We also outline defensive recommendations, specific Indicators of Compromise (IoCs) and a how-to-locate and remediate guide using Elastic Security and the MITRE ATT&CK® framework — identifying malware components at each stage.
Existing Elastic Security users can access these capabilities within the product. If you’re new to Elastic Security, take a look at our Quick Start guides (bite-sized training videos to get you started quickly). And you can always get started with a free 14-day trial of Elastic Cloud.