INTRODUCTION

A new wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country. The new data wiper malware known as HermeticWiper. In the earlier day it follows DDoS and SMS spam attacks on Ukraine.

Jean-Ian Boutin, head of ESET Threat Research, via email said that “These were large organizations that have been affected.” And also “We cannot give attribution based on information that is available to us, but the attack appears to be related to the ongoing crisis in Ukraine.”

ESET first noted the attack on Twitter Wednesday, with Broadcom Software’s Symantec division confirming on the platform soon after. ESET said the malware abuses legitimate EaseUS Partition Master Software drivers in order to corrupt and destroy data.

 

What is a Wiper Attack?

It involves wiping/overwriting/removing data from the victim. Unlike other cyber-attacks which tends to be for monetary gain, wiper attack are destructive in nature and often do not involve a ransom. Wiper malware may be used to cover the tracks of a separate data theft.

This year HermeticWiper marks the second major disk-wiping malware used against Ukraine. Before this a destructive malware is deployed on Ukraine computer system known as WhisperGate. Broadcom-owned Symantec mentioned that a similar tactic is being used with HermeticWiper, which Symantec refers to as Trojan.Killdisk.

In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper. “It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.”

 

How the malware is delivered?

HermeticWiper uses four drivers from the EaseUS Partition Master. It disables Window’s Volume Shadow Copy Service before wiping data, and then wipes evidence of itself from disk.

After a week of destruction, the DDoS attacks increased eventually and that gave undesirable and unexpected hike to damage. At least one of the intrusion is involve in deploying the malware directly from the Windows domain controller, that indicates  the attackers had taken control of the target network.

Who are the targets of this malware?

The target of this malware:-

• Several Ukrainian Government
• Banking Institute
• Online portals for Ministry of Foreign Affairs
• Cabinet of Minister
• Rada, the country’s parliament.

But last week, it hits the two of the largest Ukrainian banks, PrivatBank and Oschadbank, and also the websites of the Ukrainian Ministry of Defense and the Armed Forces suffered disruption of DDoS attack from an unknown actor.

And the Ukraine intelligence team encourage the U.K. and U.S. governments to point the fingers at the Russian Main Intelligence Directorate (GRU), and the Kremlin has denied the allegation.

On the dark web, cybercriminals are looking to capitalize on the ongoing political tensions by spotting the databases and network accesses containing information of Ukrainian citizens and critical infra entities on RaidForums and Free Civilian marketplaces in “hopes of gaining high profits.”

From the start of the year, the Ukrainian law enforcement authority faces continuous malicious cyber-attacks, as an effort to spread anxiety, reduce confidence in the state’s ability to defend its citizens, and destabilize its unity.

 

Remedies :

Following are the points that can be considered to avoid such type of attack :

• Update malware protection software.
• Regular backup of the data.
• Secure the infrastructure with DDoS attack prevention solution.
• Identify warning signs of a DDoS attack.
• Adopt cloud-based service provider.