What is HermeticWiper?





HermeticWiper explained

HermeticWiper is a new form of destructive malware designed to infiltrate Windows devices and render them inoperable by destroying files, corrupting Master Boot Record (MBR), and afflicting physical drives belonging to Ukraine organizations.

HermeticWiper is similar to WhisperGate, a previous wiper-style threat used in cyberattacks targeting Ukraine. HermeticWiper is also being linked to PartyTicket, a decoy ransomware known to be deployed alongside wiper threats.

HermeticWiper vs WhisperGate malware

Wiper malware was reported by ESET following repeated distributed denial-of-service (DDoS) attacks and website defacements directed at Ukraine-based organizations. These threats are multi-staged and include a chain of sophisticated attacks.

Both HermeticWiper and WhisperGate involve two phases:

Phase 1: Corrupting the Master Boot Record (MBR) and partitions.

Phase 2: Deploying a disk-wiper.

HermeticWiper targets Windows devices by manipulating the MBR causing multiple system boot failures. While sequential boot failures occur, HermeticWiper catalogues FAT and NTFS partitions and corrupts these files. In contrast, WhisperGate corrupts and overwrites a system’s MBR with a fake ransom note and encrypts files focusing on specific file extensions.

How can businesses prevent against a HermeticWiper attack?

CISA Shields Up provides technical resources for business leaders and covers recommendations for organizations facing recent onslaughts to their security posture.

Recognizing indicators of compromise (IOCs) helps companies monitor suspicious activity and respond to threats attempting to penetrate their security infrastructure. Additionally, CISA provides a table of HermeticWiper IOCs your IT team can refer to.

Although wiper attacks are rare, here are steps to consider when protecting your business against wiper malware:

Update existing malware protection

Traditional malware focuses on staying undetected for extended periods. Unlike its counterpart, wiper-type malware causes obvious disruption to your company’s workflow. Improving the likelihood of detecting a wiper attack, your IT team can schedule, define, and configure anti-malware systems to increase the frequency of signature updates and scan for the latest threats.

Backup data frequently

Most cybercrimes target organizations with the intent to steal data, however HermeticWiper and other wiper malware focus on data-wiping. Reevaluating and improving your data recovery plan can reduce the magnitude of property impacted by a cyberattack.

Isolate high priority intellectual property

Wiper malware is designed to destroy valuable content on drives. Remotely accessing data from a segmented network adds a layer of difficulty for malware attackers to breach. By keeping sensitive data and intellectual property isolated using a segmented network, content needs to be accessed through remote desktop software. 

Wiper malware FAQ

A wiper virus can be defined as a class of malware that wipes, erases, or overwrites data on an infected computer hard drive.

A wiper malware attack consists of wiping, deleting, or overwriting data. Wiper attacks are committed by an unauthorized threat actor who focuses on causing destruction rather than manipulating victims for monetary gain.

Wiper malware targets three entities: data or intellectual property (files), data backups, and Master Boot Record (MBR). Wiper behavior can differ and an attack can target specific folders containing sensitive files or focus files at random. Conclusively, it destroys data which is often irreversible.

Learn more

Request a free trial of Malwarebytes business solutions:

Free business trial

Select your language