{ "id": "da61158a-5cfa-4524-b7e2-d9df3b5e52c1", "created_at": "2026-04-06T00:10:45.064115Z", "updated_at": "2026-04-10T03:30:30.470634Z", "deleted_at": null, "sha1_hash": "c538e3c9d7036a64179fc762296a7b3e8e93de07", "title": "Cybereason vs. WhisperGate and HermeticWiper", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 757528, "plain_text": "Cybereason vs. WhisperGate and HermeticWiper\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 18:31:55 UTC\r\nAs geopolitical tensions are escalating between Russia and Ukraine, the cyberwar that has been going on since\r\n2013 recently had another round of escalation. For the last couple of months, there have been a wave of\r\ncyberattacks targeting Ukrainian interests involving website defacements and DDOS attacks.\r\nThe most recent discovery of sophisticated multi-stage attacks that delivered a highly destructive wipers dubbed\r\nWhisperGate and HermeticWiper. Cybereason detects and blocks both of these destructive malware strains. See\r\nbelow for a demo that shows Cybereason blocking the WhisperGate variant.\r\nWhisperGate Wiper\r\nWhisperGate is masquerading as ransomware and has paralyzed numerous Ukrainian organizations. This is not\r\nthe first time a destructive malware makes its way to Ukrainian organizations by the Russians. A similar attack\r\nwas conducted in 2017 when thousands of Ukrainian businesses were targeted with the NotPetya ransomware,\r\nwhich was attributed to the elite Russian APT group known as Sandworm.\r\nEven though the NotPetya attacks started as attacks targeting only Ukraine, it later “spilled” worldwide, causing\r\nmassive collateral damage across Europe, Asia and the US. Based on history, it is not an unlikely scenario that the\r\nspillage will happen again, where WhisperGate or similar wipers will eventually cause damage in other countries,\r\npotentially causing mass disruption.\r\nCybereason Detects and Blocks the WhisperGate Wiper\r\nWhisperGate is delivered through of a multi-stage infection chain with two main malware components: \r\nStage 1: A Master Boot Record (MBR) locker used to overwrite the operating system's MBR, which\r\neffectively prevents the operating system from loading successfully\r\nStage 2: A disk-wiper used to wipe and destroy files on the target machine.\r\nWhile the wiper was not attributed to a specific Russian APT group, Ukrainian officials publicly attributed the\r\nattack to Russia, potentially a step of “preparing the ground” for an upcoming military operation. \r\nThe Cybereason Anti-Ransomware and Anti-MBR corruption technology in the Cybereason XDR Platform\r\ndetects and prevents the WhisperGate wiper, as well as every other ransomware and wiper strain:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nPage 1 of 5\n\nCybereason protects against WhisperGate\r\nCybereason detects WhisperGate - UI notification\r\nCybereason blocks WhisperGate - user notification\r\nhttps://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nPage 2 of 5\n\nWhisperGate Attack flow graph\r\nSecurity Recommendations:\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware\r\nprotection mode to Prevent with MBR protection set to On - more information for Cybereason customers\r\ncan be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent\r\nand set the detection mode to Moderate and above - more information for Cybereason customers can be\r\nfound here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to\r\nregain access to your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering\r\nand mail filtering.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nPage 3 of 5\n\nCybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to\r\neverywhere the battle is taking place. More resources around emerging threats tied to the Russian aggression in\r\nUkraine can be found here.  Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn\r\nhow your organization can benefit from an operation-centric approach to security.\r\nAbout the Researcher:\r\nLIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT\r\nHUNTER, CYBEREASON\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse\r\nengineering and malware analysis teams.\r\nLior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak,\r\nRamnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nhttps://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nPage 4 of 5\n\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nhttps://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper" ], "report_names": [ "cybereason-vs.-whispergate-wiper" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434245, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c538e3c9d7036a64179fc762296a7b3e8e93de07.pdf", "text": "https://archive.orkl.eu/c538e3c9d7036a64179fc762296a7b3e8e93de07.txt", "img": "https://archive.orkl.eu/c538e3c9d7036a64179fc762296a7b3e8e93de07.jpg" } }