HermeticWiper: New data‑wiping malware hits Ukraine

Next story

A number of organizations in Ukraine have been hit by a cyberattack that involved new data-wiping malware dubbed HermeticWiper and impacted hundreds of computers on their networks, ESET Research has found. The attack came just hours after a series of distributed denial-of-service (DDoS) onslaughts knocked several important websites in the country offline.

Detected by ESET products as Win32/KillDisk.NCV, the data wiper was first spotted just before 5 p.m. local time (3 p.m. UTC) on Wednesday. The wiper’s timestamp, meanwhile, shows that it was compiled on December 28th, 2021, suggesting that the attack may have been in the works for some time.

<iframe id="twitter-widget-0" scrolling="no" frameborder="0" allowtransparency="true" allowfullscreen="true" class="" title="Twitter Tweet" src="https://platform.twitter.com/embed/Tweet.html?creatorScreenName=welivesecurity&dnt=true&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdHdlZXRfZW1iZWRfOTU1NSI6eyJidWNrZXQiOiJodGUiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NwYWNlX2NhcmQiOnsiYnVja2V0Ijoib2ZmIiwidmVyc2lvbiI6bnVsbH19&frame=false&hideCard=false&hideThread=false&id=1496581903205511181&lang=en&origin=https%3A%2F%2Fwww.welivesecurity.com%2F2022%2F02%2F24%2Fhermeticwiper-new-data-wiping-malware-hits-ukraine%2F&sessionId=21866ac8a53dfd7d4c28097d6f9b9e20a90a5340&siteScreenName=welivesecurity&theme=light&widgetsVersion=2582c61%3A1645036219416&width=500px" data-tweet-id="1496581903205511181" style="box-sizing: border-box; position: static; visibility: visible; width: 500px; height: 386px; display: block; flex-grow: 1; "></iframe>


HermeticWiper misused legitimate drivers of popular disk management software. “The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data,” according to ESET researchers.

Additionally, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name.

It also appears that at least in one case, the threat actors had access to a victim’s network before unleashing the malware.

Earlier on Wednesday, a number of Ukrainian websites were knocked offline in a fresh wave of DDoS attacks that have been targeting the country for weeks now.

In the middle of January, another data wiper swept through Ukraine. Called WhisperGate, the wiper masqueraded as ransomware and brought some echoes of the NotPetya attack that hit Ukraine in June 2017 before causing havoc around the world.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on  FacebookYouTube and Twitter.