Ransomware-like Attack in Ukraine – HermeticWiper

We’ve become accustomed to hearing news about cyber warfare. From hacks to ransomware and misinformation—bad actors have made worldwide headlines with their malicious attacks.

There are measures you can take to protect yourself, like using industry-leading cell phone encryption to stay a step ahead of threats. By the time you realize you have been targeted by hackers it is too late.

Just days before Russia’s invasion of Ukraine a malware menace, known as HermeticWiper, struck Ukrainian entities as well as related targets in Latvia and Lithuania. Examining this data wiping malware reinforces the need for ensuring every exposed vector has the best digital security. Let’s take a closer look at HermeticWiper to see how destructive it is.

HermeticWiper and HermeticRansom

On February 24, 2022, after a series of distributed denial of service attacks against Ukraine, designed to knock websites offline—overwhelming them with requests until they crash—a Slovakian security firm was first to report it found the wiper on hundreds of machines in Ukraine. Another 50 banking systems with government contracts were reported by Symantec to have been hit in Ukraine.

The malware was given the name “HermeticWiper” because of a digital certificate stolen from a company called Hermetica Digital Ltd. The first variant of this malware surfaced in November 2021.

Lawrence Adams of Bleeping Computer says, “A data wiper is malware that intentionally destroys data on a device to make the data unrecoverable and for the operating system to no longer work correctly.”

HermeticRansom, also known as PartyTicket, was created with Go open-source programing language. It struck on the same day as the highly effective HermeticWiper. HermeticRansom had a decidedly unsophisticated style and poor implementation. There was no obfuscation or intent to misdirect, and the functioning was straightforward, suggesting it was created quickly, leading experts to suspect it was a distraction to help the HermeticWiper do more damage.

Mobile solutions like ChatMail™ have military-grade strength encryption, proprietary server storage, and secondary security features preventing malware like these type of wiper attacks. ChatMail’s technology doesn’t allow third-party apps which perpetrate this type of attack. Additionally, it is worth mentioning these targeted attacks were directed at the Ukraine government and not the public.

Who Was Responsible?

Like ransomware, a wiper requires the compromise of identities and the abuse of privileged credentials. 

Given the nature of the ongoing war in Ukraine and the cyber conflict, future attacks could easily expand in scope. Russian oligarchs are frantically moving their money in the wake of international sanctions, while government officials and journalists operate in a climate of intense eavesdropping and information control.

Other similar cyberattacks, notably WhisperGate (which sent a fake ransomware note before rendering the Master Boot Record useless once the computer is shutdown) prompted warnings from several US government agencies. Regardless of who is to blame, these wiper attacks are designed to prevent targets from using their devices to access data and further enforce the need for heightened vigilance.

Given the nature of the ongoing war in Ukraine and the cyber conflict, future attacks could easily expand in scope. Russian oligarchs are frantically moving their money in the wake of international sanctions, while government officials and journalists operate in a climate of intense eavesdropping and information control.

Whoever was responsible, there’s nothing to suggest that the next cyber-victim will be confined to a military opponent in the war itself. The code’s simplicity, along with the spelling and grammar errors, suggests it was slapped together.

Plausible Deniability

The nature of cyberattacks makes it difficult to peg down precisely who was responsible, as attackers can always invoke plausible deniability. For example, hackers can partially take over your home computer and use it, without your knowledge or approval, to launch cyberattacks.

One researcher told BBC News, “Ukraine’s military and banking websites have seen a more rapid recovery, likely due to preparedness and increased capacity to implement mitigations.”

Governments and enterprises need to protect every aspect of their business with digital security designed from the ground up. Myntex provides you with complete mobile device security.

We designed and built ChatMail from the ground up, including our custom encryption protocol. For your protection, anything unencrypted isn’t displayed. Our parsing algorithm takes emails sent with external PGP encryption and displays them in an easy-to-read bubble that looks like a chat message. Confidential communications remain private as no threads remain on our servers. We do not have roster, group, or message storage. You can access and delete your confidential information while being offline.