A new form of malware engineered to wipe data deployed in recent cyberattacks on Ukraine prior to the Russian invasion was accompanied by a ransomware decoy.

Researchers at Symantec Threat Intelligence commented:

“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organisations at the same time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks. This has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware.”

Ransomware with a political agenda

The recently deployed ransomware decoy also delivered a dedicated ransom note on the systems compromised. The note instructs the ransomware victims to make contact via two different email addresses for the return of their data files. These were listed as stephanie.jones2024@protonmail.com and vote2024forjb@protonmail.com. Along with the instructions to reach out, the ransomware also included a political message that stated:

“The only thing that we learn from new elections is we learned nothing from the old!”

The ransomware attack potentially acted as distraction for the activities of the data wiper. Juan Andres Guerro-Saade, a key cyberthreat researcher at SentinelOne, has named the malware, “HermeticWiper” and it was unleashed as part of a recent spate of cyberattacks on Ukrainian organisations. While these enterprises were clearly the key focus of the attacks, HermeticWiper was also identified on systems beyond Ukraine’s borders.

According to the Technical Director for Symantec, Vikram Thakur, victims hit by the data wiper strikes also included government and finance contractors from Ukraine, Lithuania and Latvia.
Although the cyberattacks are recent, cybersecurity researchers at ESET spotted that the HermeticWiper malware registered a compilation date of far earlier, December 28, 2021, hinting that the attacks were planned and prepared in advance.

Symantec tracked down evidence of threat operators gaining access to targets’ networks by exploiting the Microsoft Exchange vulnerabilities back in November 2021. They installed web shells and then deployed the data wiper malware. For example, one organisation in Lithuania was compromised as early as November 12 last year.

HermeticWiper in action

The data wiper malware employs drivers from EaseUS Partition Manager in order to corrupt victims’ compromised device files before successfully rebooting computers. Silas Cutler, the security researcher discovered that additionally, HermeticWiper also destroys the device’s Master Boot Record. As a result, all infected devices are rendered unbootable.

Since the beginning of 2022, this is the second destructive data wiper launched against Ukraine’s networks. A dangerous form of data-wiping malware entitled WhisperGate that camouflaged itself as ransomware was employed in earlier attacks aimed at organisations in Ukraine.

Like HermeticWiper malware, WhisperGate was deployed to corrupt files and then wipe the Master Boost Records of the compromised devices. Consequently, this rendered the devices’ operating systems unable to boot and users could access files being stored on their hard drives. While no attribution has yet been made for the HermeticWiper attacks, the USA has linked the strikes to Russia’s GRU.