Before Ukraine got attacked by Russia, researchers discovered that a decoy of the GoLang ransomware accompanied the HermeticWiper malware being deployed on the country’s servers.
Security experts explained that as the data wiper attacks were executed against Ukraine, the decoy ransomware was also deployed to target Ukrainian organisations using scheduled tasks by the threat actors.
Nonetheless, researchers believe that the execution of the decoy ransomware could only be a form of distraction from the data wiper attacks. This assumption came from a past incident where Ukraine was attacked with a WhisperGate wiper disguised by threat actors as ransomware.
Dubbed HermeticWiper, the malware was launched to target organisations in and out of Ukraine’s territory, including the Ukrainian government and finance sector, and some firms from Latvia and Lithuania.
Researchers also added that the HermeticWiper malware was initially launched last December 2021. Proofs were then found regarding the infiltration of threat actors on victims’ servers by exploiting flaws in Microsoft Exchange in November 2021. The threat actors also installed web shells prior to executing the wiper on the servers.
Threat actors employed the EaseUS Partition Manager drivers to the wiper malware to corrupt all compromised files of the devices before rebooting them. The reboot process also discards the Master Boot Record of the compromised devices to make them unbootable.
Since the beginning of 2022, Ukraine has suffered from data wiper attacks for the second time. The first incident was when Microsoft revealed the country being attacked with the WhisperGate malware in January, which threat actors disguised as ransomware.
As of writing, there are no attributions regarding the recent data wiper attacks against Ukraine. Nonetheless, the US White House reported that Russia’s armed forces initiated the DDoS attacks targeting the affected country.
Russian state-sponsored threat groups are notorious for launching data wiper attacks. From a previous record, thousands of firms in Ukraine were hit by data wiper attacks in 2017, which were connected to Russian hackers.