Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

Cyberattackers deployed ransomware in several instances to serve as a “decoy or distraction” as they targeted organizations in Ukraine with disk-wiping malware on Wednesday, just before Russia’s invasion of the country, researchers at Symantec said.

The data wiper has been dubbed HermeticWiper by a researcher at SentinelOne, since its digital certificate had been issued under the name Hermetica Digital Ltd.

Researchers at Symantec and ESET first disclosed details on the data wiper on Wednesday. ESET reported that the wiper was installed on hundreds of machines in Ukraine, and followed distributed denial-of-service (DDoS) attacks targeting Ukrainian websites earlier in the day.

Symantec’s researchers reported they’ve also discovered evidence that the wiper attacks affected machines in Lithuania and Latvia.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Decoy for destructive malware

In the attacks Wednesday, Symantec researchers said that the destructive malware was deployed against defense organizations as well as financial, aviation and IT services companies. And ransomware was a component of the attacks in some cases.

“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper,” Symantec researchers said in a blog post.

“As with the wiper, scheduled tasks were used to deploy the ransomware,” the researchers said. “File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.”

Notably, “it appears likely that the ransomware was used as a decoy or distraction from the wiper attacks,” the Symantec researchers said, posting an image of a presumably fake ransom note used with the ransomware.

This approach “has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware,” the researchers said, referring to the January attacks that left dozens of the Ukrainian government’s websites inaccessible or defaced.

Cyber escalation

As for HermeticWiper, Juan Andres Guerrero-Saade, the researcher at SentinelOne who gave the malware its name, reported that the wiper erases Windows devices, after it deletes shadow copies and manipulates the Master Boot Record (MBR) after a reboot.

“After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation,” Guerrero-Saade wrote.

Ultimately, the risk has only intensified that the cyberattacks “could extend out of Ukraine, and impact NATO and EU member states,” researchers at the Digital Shadows Photon Research team said Thursday. “This has already been observed with HermeticWiper impacting networks in Latvia and Lithuania.”

The 2017 NotPetya attack “immediately springs to mind,” the Digital Shadows researchers said. Ordered by the Russian government and initially targeted at companies in Ukraine, the NotPetya worm ended up spreading worldwide. It remains the costliest cyberattack to date, with damages of $10 billion.

Additionally, Russia-based cybercriminals “may also be emboldened or otherwise encouraged by Russia’s actions,” the Digital Shadows researchers said.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.