Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now
Cyberattackers deployed ransomware in several instances to serve as a “decoy or distraction” as they targeted organizations in Ukraine with disk-wiping malware on Wednesday, just before Russia’s invasion of the country, researchers at Symantec said.
The data wiper has been dubbed HermeticWiper by a researcher at SentinelOne, since its digital certificate had been issued under the name Hermetica Digital Ltd.
Researchers at Symantec and ESET first disclosed details on the data wiper on Wednesday. ESET reported that the wiper was installed on hundreds of machines in Ukraine, and followed distributed denial-of-service (DDoS) attacks targeting Ukrainian websites earlier in the day.
Symantec’s researchers reported they’ve also discovered evidence that the wiper attacks affected machines in Lithuania and Latvia.
AI Scaling Hits Its Limits
Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:
- Turning energy into a strategic advantage
- Architecting efficient inference for real throughput gains
- Unlocking competitive ROI with sustainable AI systems
Secure your spot to stay ahead: https://bit.ly/4mwGngO
Decoy for destructive malware
In the attacks Wednesday, Symantec researchers said that the destructive malware was deployed against defense organizations as well as financial, aviation and IT services companies. And ransomware was a component of the attacks in some cases.
“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper,” Symantec researchers said in a blog post.
“As with the wiper, scheduled tasks were used to deploy the ransomware,” the researchers said. “File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.”
Notably, “it appears likely that the ransomware was used as a decoy or distraction from the wiper attacks,” the Symantec researchers said, posting an image of a presumably fake ransom note used with the ransomware.
This approach “has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware,” the researchers said, referring to the January attacks that left dozens of the Ukrainian government’s websites inaccessible or defaced.
Cyber escalation
As for HermeticWiper, Juan Andres Guerrero-Saade, the researcher at SentinelOne who gave the malware its name, reported that the wiper erases Windows devices, after it deletes shadow copies and manipulates the Master Boot Record (MBR) after a reboot.
“After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation,” Guerrero-Saade wrote.
Ultimately, the risk has only intensified that the cyberattacks “could extend out of Ukraine, and impact NATO and EU member states,” researchers at the Digital Shadows Photon Research team said Thursday. “This has already been observed with HermeticWiper impacting networks in Latvia and Lithuania.”
The 2017 NotPetya attack “immediately springs to mind,” the Digital Shadows researchers said. Ordered by the Russian government and initially targeted at companies in Ukraine, the NotPetya worm ended up spreading worldwide. It remains the costliest cyberattack to date, with damages of $10 billion.
Additionally, Russia-based cybercriminals “may also be emboldened or otherwise encouraged by Russia’s actions,” the Digital Shadows researchers said.
