Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Used as Decoy in Destructive Cyberattacks on Ukraine

Ransomware was used as a decoy in some of the recent data-wiping cyberattacks against organizations in Ukraine, Symantec reports.

Ransomware was used as a decoy in some of the recent data-wiping cyberattacks against organizations in Ukraine, Symantec reports.

The cyberattacks employed HermeticWiper, a piece of malware that was designed solely to damage the Master Boot Record (MBR) of the target system, rendering the machine unusable.

Once executed, the wiper adjusts its settings to gain read access control to any file, then gains the privileges required to load and unload device drivers, disables crash dumps to cover its tracks, disables the Volume Shadow Service (VSS), and loads a benign partition manager which it abuses to corrupt the MBR.

The wiper uses different corruption methods based on the version of Windows running on the machine and partition type (FAT or NTFS). HermeticWiper can damage both MBR and GPT drives and triggers a system reboot to complete the data wiping process, researchers with Cisco’s Talos division note.

Although executed on February 23, hours before Russia launched an invasion of Ukraine, the attacks appear to have been in preparation for months.

The network of one organization in Ukraine was compromised on December 23, 2021, with a web shell installed on January 16, more than one month before HermeticWiper was deployed, Symantec reports.

[ READ: Russia, Ukraine and the Danger of a Global Cyberwar ]

The cybersecurity firm has also found evidence that the wiper was used in attacks against computers in Lithuania as well. At least one organization in the country fell victim to HermeticWiper, after the attackers compromised its network and achieved persistence in November 2021.

In both attacks, the threat actors behind the wiper stole credentials found in the compromised environments and executed the wiper using scheduled tasks.

Similar to the WhisperGate cyberattacks on Ukraine, some of the HermeticWiper incidents involved the execution of ransomware on the infected machines. However, Symantec believes that the ransomware was only employed as a distraction from the destructive data-wiping attacks.

Despite their destructive capabilities and similarities in targeting and behavior, WhisperGate and HermeticWiper do not show code overlaps, IBM Security X-Force researchers say.

Both IBM and Symantec warn that the developing situation in Ukraine is expected to be accompanied by more destructive cyberattacks, potentially escalating in parallel with the ongoing conflict.

Related: Destructive ‘HermeticWiper’ Malware Targets Computers in Ukraine

Related: Cyberattacks Accompany Russian Military Assault on Ukraine

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.