Verticals Targeted: Government, Military, Various
Related Families: DboxShell, PowerMagic
Verticals Targeted: Defense, Critical Infrastructure, Transportation
RedStinger, a relatively unknown threat actor group, targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.
Related Families: Andromeda, Kopiluwak, QuietCanary
Mandiant recently reported on a Turla campaign targeting Ukraine. The threat actors used multiple malware families in this campaign, including Kopiluwak, QuietCanary, and Andromeda.
Related Families: DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, Azov, CryWiper
Verticals Targeted: defense, government, judicial, telecommunications, energy, non-profit
In 2022, we observed a significant increase in the number of wiper malware families active in the wild. The majority of this activity appears to be motivated by or conducted in conjunction with the ongoing kinetic warfare taking place between Russia and Ukraine. In this report, we focus on wipers that seem to be connected to the Russia-Ukraine conflict.
- In 2022, we observed a significant increase in the number of wiper malware families active in the wild. Many of these appear to be related to the Russia-Ukraine conflict.
- These families include DoubleZero, HermeticWiper, IsaacWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, Azov, and CryWiper.
- The majority of these wiper families targeted entities in Ukraine, while at least one targeted entities in Russia.
Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It acts as a wiper and is capable of backdooring 64-bit executables. It also uses a unique pattern for overwriting files.
Verticals Targeted: Transportation, Logistics
Microsoft Threat Intelligence Center recently reported on Prestige ransomware. A novel ransomware family used to target entities in Ukraine and Poland in October 2022.
Cisco Talos researchers recently reported on new activity perpetrated by Russian nexus threat actor group Armageddon. The group is using a new infostealer to target entities in Ukraine.
ESET recently tweeted about a new version of ArguePatch, a malware loader used by VooDoo Bear (Sandworm) in multiple attacks against Ukrainian assets. ESET also gave an overview of the new version of ArguePatch on their WeLiveSecurity blog.