{
	"id": "e7d7b1d7-8bdc-415e-b793-48c4ddd63ab9",
	"created_at": "2026-04-06T00:22:36.415781Z",
	"updated_at": "2026-04-10T13:12:06.696159Z",
	"deleted_at": null,
	"sha1_hash": "a319dc10ce4b869c22c7512d8c1f0969eb82b0f5",
	"title": "New destructive malware cyber attacks Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1213446,
	"plain_text": "New destructive malware cyber attacks Ukraine\r\nBy Christopher Del, John Dwyer\r\nPublished: 2022-02-24 · Archived: 2026-04-05 15:50:25 UTC\r\nChristopher Del\r\nX-Force IRIS Malware Reverse Engineer\r\nJohn Dwyer\r\nHead of Research\r\nIBM Security X-Force\r\nThis post was written with contributions from IBM Security X-Force’s Anne Jobmann, Claire\r\nZaboeva and Richard Emerson.\r\nFebruary 25, 2022 Update\r\nOn February 24 2022, Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside\r\nthe HermeticWiper malware. IBM Security X-Force obtained a sample of the PartyTicket ransomware and has\r\nprovided technical analysis, indicators of compromise, and detections within the PartyTicket section of this blog.\r\nOn February 23, 2022, open-source intelligence sources began reporting detections of a wiper malware — a\r\ndestructive family of malware designed to permanently destroy data from the target — executing on systems\r\nbelonging to Ukrainian organizations. IBM Security X-Force obtained a sample of the wiper named\r\nHermeticWiper. It uses a benign partition manager driver (a copy of empntdrv.sys) to perform its wiping\r\ncapabilities corrupting all available physical drives’ Master Boot Record (MBR), partition, and file system (FAT or\r\nNTFS).\r\nThis is not the first wiper malware targeting Ukrainian organizations X-Force has analyzed. In January 2022, X-Force analyzed the WhisperGate malware and did not identify any code overlaps between WhisperGate and\r\nHermeticWiper.\r\nThis blog post will detail IBM Security X-Force’s insights into the HermeticWiper malware, technical analysis of\r\nthe sample, and indicators of compromise (IoC) to help organizations protect themselves from this malware.\r\nWhy this is important\r\nIn January 2022, X-Force analyzed the WhisperGate malware. HermeticWIper is the second newly seen\r\ndestructive malware family observed in the past two months targeting organizations in Ukraine, and reportedly\r\nother countries in Eastern Europe. No code overlaps were identified between WhisperGate and HermeticWiper.\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 1 of 10\n\nThe pace at which these new, destructive malware families are being deployed and discovered is unprecedented,\r\nand further highlights the need for organizations to have an active and informed defense strategy that expands\r\nbeyond signature-based defenses.\r\nAs the conflict in the region continues to evolve and given the destructive capabilities of both WhisperGate and\r\nHermeticWiper, IBM Security X-Force recommends critical infrastructure organizations within the targeted region\r\nfortify defenses. Those organizations should focus on preparation for potential attacks that can destroy or encrypt\r\ndata or otherwise significantly impact operations.\r\nIt is of X-Force’s opinion that destructive cyber attacks will likely continue to be leveraged against civilian targets\r\nin support of hybrid operations. In addition, X-Force believes it is likely cyber attacks will continue to escalate\r\nand expand in parallel with the scope of the ongoing conflict. It should be noted the increasing number of\r\ndestructive capabilities focused against private industry and entities associated with the Ukraine and its perceived\r\nallies, will likely alter the cyber security environment by creating an elevated threat to regional commerce.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nAnalysis details\r\nThis section contains the results of the analysis performed for the submitted samples. Typical analysis includes\r\nboth behavioral and static analysis.\r\nBehavioral analysis describes the malware behavior observed on a system during execution. Behavioral analysis\r\ntypically includes actions performed on the system such as files dropped, persistence, details surrounding process\r\nexecution and any C2 communications. It should be noted that behavioral analysis may not capture all notable\r\nmalware behavior as certain functions may only be performed by the malware under specific conditions.\r\nStatic analysis is a deeper dive into the technical analysis of the malware. Static analysis typically includes further\r\ndetails about the functionality, obfuscation or packing in the sample, encryption used by the malware,\r\nconfiguration information or other notable technical detail.\r\nBehavioral analysis\r\nUpon execution, HermeticWiper immediately adjusts its process token privileges and enables SeBackupPrivilege.\r\nThis gives the malware read access control to any file, regardless of whatever is specified in access control list\r\n(ACL).\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 2 of 10\n\nIt then checks for the system’s OS version to know which version copy of a benign partition management driver\r\n(EaseUS Partition Manager: epmntdrv.sys) it will use. The driver is initially Microsoft compressed (SZDD\r\ncompression) and embedded in its resource named RCDATA.\r\nFor Windows XP:\r\nx86 – it uses DRV_XP_X86\r\nx64 – it uses DRV_XPX64\r\nFor Windows 7 and up:\r\nx86 – it uses DRV_X86\r\nx64 – it uses DRV_X64\r\nAfter verifying what version it will use, the SZDD compressed benign partition management driver is then\r\ndropped in the following directory as:\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 3 of 10\n\n%WINDIR%\\system32\\driver\\\u003crandom_2chars\u003edr\r\nExample: C:\\Windows\\system32\\Drivers\\vfdr\r\nIt then proceeds to decompress it and adds “.sys” as file extension.\r\nExample: C:\\Windows\\system32\\Drivers\\vfdr.sys\r\nIt then proceeds to adjust its process token privileges again to enable SeLoadDriverPrivilege. This token enables\r\nthe process of HermeticWiper have the ability to load and unload device drivers.\r\nNext, it disables crash dumps by modifying the following registry key:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\r\nCrashDumpEnabled = 0\r\nNote that crash dumps are memory dumps that contains information why the system stops unexpectedly. With this\r\noption disabled, the system will be prevented to create any dumps, thus successfully covering its tracks.\r\nIt also disables Volume Shadow Service (vss) if enabled, and disables ShowCompColor and ShowInfoTip in all\r\nHKEY_USERS registry:\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 4 of 10\n\nHKEY_USERS\\\u003cID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\r\nShowCompColor = 0\r\nShowInfoTip = 0\r\nShowCompColor option displays compressed and encrypted NTFS files in color while ShowInfoTip shows pop-up\r\ndescriptions for folder and desktop items.\r\nHermeticWiper then proceeds to add and load the created driver as a service using Windows APIs such\r\nas OpenSCManagerW(), OpenServiceW(), CreateServiceW() and StartServiceW().\r\nExample:\r\nThis creates a service entry in the registry:\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\\u003crandom_2chars\u003edr\r\nOnce the benign driver service is started and loaded in the system, it then proceeds to cover its tracks once again\r\nby deleting the created driver in %WINDIR%\\system32\\drivers and deleting the created service in the registry.\r\nHermeticWiper enumerates a range of up to 100 Physical Drives by looping 0-100. It uses the benign partition\r\nmanager, now loaded in the system, to corrupt all Master Boot Record (MBR) for every Physical Drive present in\r\nthe system.\r\nBut it doesn’t stop there, it also corrupts all the available partition even supporting both FAT and NTFS file\r\nsystem. For NTFS, it also corrupts the Master File Table (MFT) which holds all information about a file to ensure\r\nthat data will be unrecoverable.\r\nOnce all disks are corrupted, the system should result to a crash, but just in case, HermeticWiper also created a\r\nfail-safe sleeping thread that triggers a system shutdown to force restart the target system.\r\nStatic analysis\r\nAnalysis of the wiper sample revealed it was signed with a digital certificate issued to an organization named\r\n‘Hermetica Digital Ltd’ and was created April 15, 2021. A digital certificate is a file or cryptographic signature\r\nthat proves the authenticity of an item such as a file, server, or user.\r\nHermeticWiper contains the following digital certificate:\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 5 of 10\n\nIndicators of Compromise (IOCs)\r\nHermeticwiper\r\nFILE SYSTEM:\r\n%WINDIR%\\system32\\driver\\\u003crandom_2chars\u003edr\r\nREGISTRY:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\r\n CrashDumpEnabled = 0\r\n HKEY_USERS\\\u003cID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\r\n ShowCompColor = 0\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 6 of 10\n\nShowInfoTip = 0\r\n HKLM\\SYSTEM\\CurrentControlSet\\services\\\u003crandom_2chars\u003edr\r\nSERVICE:\r\nservice name: \u003crandom_2chars\u003edr\r\nHermatic malware samples\r\nDetection\r\nIBM Security X-Force has developed the following Yara signature to detect additional instances of the\r\nHermeticWiper.\r\nimport \"pe\"\r\n rule XFTI_HermeticWiper : HermeticWiper\r\n {\r\n meta:\r\n author = \"IBM X-Force Threat Intelligence Malware Team\"\r\n description = \"Detects the wiper targeting Ukraine.\"\r\n threat_type = \"Malware\"\r\n rule_category = \"Malware Family\"\r\n usage = \"Hunting and Identification\"\r\n ticket = \"IRIS-12790\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n yara_version = \"4.0.2\"\r\n date_created = \"24 Feb 22\"\r\n date_updated = \"\"\r\n reference = \"\"\r\n xfti_reference = \"\"\r\n strings:\r\n $s1 = \"\\\\\\\\.\\\\EPMNTDRV\\\\%u\" wide fullword\r\n $s2 = \"C:\\\\Windows\\\\SYSVOL\" wide fullword\r\n $s3 = \"DRV_X64\" wide fullword\r\n $s4 = \"DRV_X86\" wide fullword\r\n $s5 = \"DRV_XP_X64\" wide fullword\r\n $s6 = \"DRV_XP_X86\" wide fullword\r\n condition:\r\n uint16(0) == 0x5A4D and 4 of them and\r\n pe.imports(\"lz32.dll\", \"LZOpenFileW\") and\r\n pe.imports(\"kernel32.dll\", \"FindResourceW\") and\r\n pe.imports(\"advapi32.dll\", \"CryptAcquireContextW\")\r\n }\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 7 of 10\n\nPartyTicket analysis\r\nThe ransomware sample dubbed as PartyTicket is a Golang compiled ransomware which is believed to be\r\ndistributed alongside the HermeticWiper malware that targets Ukraine organizations.\r\nPartyTicket ransomware doesn’t include any escalation of privileges and will execute within the context of the\r\ncurrent user. This means that if it was executed with a non-privileged account, folders and files requiring higher\r\nprivileges will not be encrypted.\r\nPartyTicket adds“.[vote2024forjb@protonmail.com].encryptedJB” as file extension to all files it encrypts. It uses\r\nboth RSA and AES to encrypt targeted files.\r\nInitial static analysis of the ransomware reveals “Biden” and “Whitehouse” referenced within the code.\r\nUpon execution, PartyTicket ransomware builds a list of files to encrypt by checking for all available drives from\r\nA: to Z: and traversing all directories except for those containing “Windows” and “Program Files”.\r\nWhile traversing the directory structure, the ransomware enumerates a target list of files containing the following\r\nextensions:\r\n.acl, .avi, .bat, .bmp, .cab, .cfg, .chm, .cmd, .com, .crt,\r\n.css, .dat, .dip, .dll, .doc, .dot, .exe, .gif, .htm, .ico,\r\n.iso, .jpg, .mp3, .msi, .odt, .one, .ova, .pdf, .png, .ppt,\r\n.pub, .rar, .rtf, .sfx, .sql, .txt, .url, .vdi, .vsd, .wma,\r\n.wmv, .wtv, .xls, .xml, .xps, .zip, .docx, .epub, .html, .jpeg,\r\n.pptx, .xlsx, .pgsql, .contact, inc\r\nNote that .exe is included in the target file to encrypt, indicating that the ransomware will encrypt itself\r\nafterwards.\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 8 of 10\n\nOnce the target list is created, the ransomware will create a copy of itself with a universally unique identifier\r\n(UUID) name for every file within the target list. The copies are executed with a thirty-second timeout as children\r\nof the original PartyTicket process, each responsible for encrypting a file within the target file list.\r\nExample PartyTicket child process execution lifecycle:\r\nC:\\Windows\\system32\\cmd.exe cmd /c copy \u003cPartyTicket.exe\u003e b6771851-a968-11eb-9f9f-000c29fc4fde.exe\r\nb6771851-a968-11eb-9f9f-000c29fc4fde.exe.exe \u003ctarget_file_to_encrypt\u003e\r\ntimeout /t 30 \u0026\u0026 C:\\Windows\\system32\\cmd.exe /C del \u003cUUID\u003e.exe\r\nPartyTicket Indicators of Compromise (IOCs)\r\nFILE SYSTEM:\r\n%DESKTOP%\\read_me.html\r\n \u003cencrypted_files\u003e.[vote2024forjb@protonmail.com].encryptedJB\r\nPartyTicket detection\r\nIBM Security X-Force has developed the following Yara signature to help identify instances of the PartyTicket\r\nransomware.\r\nrule XFTI_PartyTicket : PartyTicket\r\n {\r\n meta:\r\n author = \"IBM Security X-Force \"\r\n description = \"Detects the PartyTicket ransomware deployed alongside the HermeticWiper malware. The rule includ\r\n threat_type = \"Malware\"\r\n rule_category = \"Malware Family\"\r\n usage = \"Hunting and Identification\"\r\n hash = \"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\"\r\n yara_version = \"4.0.2\"\r\n date_created = \"25 Feb 22\"\r\n strings:\r\n $main_func1 = \"pr1me\"\r\n $main_func2 = \"dtFie\"\r\n $main_func3 = \"getBoo\"\r\n $main_func4 = \"selfElect\"\r\n $main_func5 = \"highWay60\"\r\n $main_func6 = \"voteFore403\"\r\n $main_func7 = \"subscribeNewPartyMember\"\r\n $proj_path = \"/403forBiden/\"\r\n $file_ext = \".encryptedJB\"\r\n condition:\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 9 of 10\n\nuint16(0) == 0x5A4D and 7 of them\r\n }\r\nResponse\r\nAt this time, X-Force recommends organizations implement detections for the file system, registry, and Windows\r\nservice indicators listed in this report as well as leveraging the provided Yara rule to scan files. Additionally,\r\nglobal businesses should seek to establish sound insight into their respective networks, supply chains, third\r\nparties, and partnerships that are based in, or serve in-region institutions. It is also advised that organizations open\r\nlines of communications between relevant information-sharing entities to ensure the receipt and exchange of\r\nactionable indicators.\r\nIn addition to response measures associated with the indicators of compromise, X-Force recommends\r\norganizations consider the following proactive measures:\r\nBlock high-risk protocols on all B2B VPNs\r\nImplement netflow monitoring at all egress points\r\nHave contingency plans in place to disconnect B2B VPNs, particularly those that are high-risk\r\nPrevent loading of unknown driver files\r\nIf you have questions and want a deeper discussion about the malware and prevention techniques, you can\r\nschedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force\r\nExchange and the IBM PSIRT blog.\r\nIf you are experiencing cybersecurity issues or an incident, contact X-Force to help.\r\nUS hotline 1-888-241-9812\r\nGlobal hotline (+001) 312-212-8034\r\nSource: https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/"
	],
	"report_names": [
		"new-destructive-malware-cyber-attacks-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a319dc10ce4b869c22c7512d8c1f0969eb82b0f5.pdf",
		"text": "https://archive.orkl.eu/a319dc10ce4b869c22c7512d8c1f0969eb82b0f5.txt",
		"img": "https://archive.orkl.eu/a319dc10ce4b869c22c7512d8c1f0969eb82b0f5.jpg"
	}
}