Related Families: DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, Azov, CryWiper
Verticals Targeted: defense, government, judicial, telecommunications, energy, non-profit
In 2022, we observed a significant increase in the number of wiper malware families active in the wild. The majority of this activity appears to be motivated by or conducted in conjunction with the ongoing kinetic warfare taking place between Russia and Ukraine. In this report, we focus on wipers that seem to be connected to the Russia-Ukraine conflict.
- In 2022, we observed a significant increase in the number of wiper malware families active in the wild. Many of these appear to be related to the Russia-Ukraine conflict.
- These families include DoubleZero, HermeticWiper, IsaacWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, Azov, and CryWiper.
- The majority of these wiper families targeted entities in Ukraine, while at least one targeted entities in Russia.
In 2022, we observed a significant increase in the number of wiper malware families active in the wild, with many related to the Russia-Ukraine conflict. These families include DoubleZero, HermeticWiper, IsaacWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, Azov, and CryWiper.
Most of these wiper malware families targeted entities in Ukraine, but Russia was the target of at least one wiper family. This cyber activity appears to be motivated by or conducted in conjunction with the ongoing kinetic warfare taking place between Russia and Ukraine. Using wiper malware as a form of cyber war is effective due to the capabilities for sabotage via the destruction of data.
DoubleZero is a wiper malware first seen in the wild in March 2022. It was used to target Ukrainian enterprises. It destroys files, registry keys, and trees on infected systems. DoubleZero is a 32-bit Windows portable executable written in .NET.
HermeticWiper, also known as FoxBlade, is an approximately 115 KB executable. The earliest known compile date was December 28, 2021, and one of the wiper executables was compiled on the same day the malware was deployed. HermeticWiper has three components: HermeticWiper, an MBR wiper component; HermeticWizard, a worm-like feature used to propagate the malware on the local network via WMI and SMB; and HermeticRansom, a decoy ransomware program written in Go and used to mask the true intent of the malware. HermeticWiper was used to target entities in Ukraine.
IsaacWiper is a Windows DLL or EXE with no Authenticode signature and was compiled on October 19, 2021, about two months before HermeticWiper. IsaacWiper was used in attacks on Ukrainian entities one day after HermeticWiper was used. IsaacWiper attacks were first observed on February 24, with a second round of attacks on February 25. The second version of IsaacWiper included debug logs.
CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. CaddyWiper was compiled on March 14th, the same day it was deployed. It appears the malware was deployed via GPO (Group Policy Object), an Active Directory component used to define rules for users, endpoints, groups, and organizations. CaddyWiper was used to target government and critical infrastructure entities in Ukraine. The Russian threat actor group Sandworm is known to use CaddyWiper.
WhisperGate is a three-stage MBR wiper masquerading as ransomware. The malware displayed a ransom note demanding payment to a Bitcoin address before wiping the master boot record. WhisperGate was used to target government, non-profit, and technology systems entities in Ukraine. WhisperGate has been attributed to the threat actor group known as DEV-0586.
AcidRain is a MIPS ELF binary with the name ukrop. It was used in an attack on Viasat KA-SAT. AcidWiper affected thousands of modems in Ukraine, wiping the targeted filesystem and known storage device files and disrupting internet service.
Industroyer2 is a malware specifically used to target ICS (industrial control systems), like those typically used for critical infrastructure entities such as energy companies. The attack leveraging Industroyer2 targeted a Ukrainian energy company and has been attributed to the Russian threat actor group Sandworm. Additionally, the threat actors used CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED in the attack.
Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It acts as a wiper and is capable of backdooring 64-bit executables. Despite acting as ransomware, Azov functions as a wiper. Further analysis of Azov found that it was manually crafted in Assembly language using FASM. It was apparently meant to be a wiper, as it uses multi-threaded intermittent overwriting. The decoy ransom note included with Azov indicates the attacks are politically motivated and are perpetrated by someone with pro-Ukraine sentiments.
Industry analysts recently discovered CryWiper. It initially gives the appearance of being ransomware, modifying files, and appending the .CRY extension to them. It even has a decoy ransom note. However, the malware is a wiper, with any files modified by the malware becoming unrecoverable. Additionally, CryWiper creates a task to restart the wiper every five minutes, sends information about the infected machine to the C2, halts several processes, deletes shadow copies of files, and disables connection to the victim system via RDP. CryWiper is a 64-bit Windows executable written in C++ that targets Windows systems. It was used to target government and judicial entities in Russia.
Tracking Wiper Malware With PolySwarm
PolySwarm tracked the following wiper malware families this year.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports