{
	"id": "93eb5885-b4e7-45b5-a7e2-ddfa5bd9dbb3",
	"created_at": "2026-04-06T00:07:56.568692Z",
	"updated_at": "2026-04-10T13:12:28.679548Z",
	"deleted_at": null,
	"sha1_hash": "e8c88b2c88c8630a4eba39b61e0eb3a5ac0e43db",
	"title": "HermeticWiper Malware \u0026 The Russian-Ukrainian Cyber War | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51053,
	"plain_text": "HermeticWiper Malware \u0026 The Russian-Ukrainian Cyber War |\r\nDeep Instinct\r\nBy Ido KringelThreat Intelligence Researcher\r\nPublished: 2022-03-01 · Archived: 2026-04-02 11:06:13 UTC\r\nOn February 24, the Russian-Ukrainian conflict escalated into an invasion of Ukraine by Russian armed forces.\r\nHowever, these hostilities were not limited to the physical domain. Cyber warfare is happening in parallel to the\r\narmed conflict, becoming an inseperable part of the hostile exchanges between these nations. \r\nOur Threat Research team noted various cyberattacks deployed by Russia in the weeks preceding the invasion\r\naimed at sowing chaos and disrupting communications within Ukraine’s government and military institutions.\r\nWhile the most publicized of these cyberattacks were the DDoS attacks, official government website take-downs,\r\nand website defacements, the most disruptive attack was a disk-wiping malware called WhisperGate which we\r\ncovered in a previous post.  \r\nOn February 23, one day before the larger Russian land invasion began, Ukrainian organizations were targeted by\r\nanother destructive disk-wiping malware dubbed HermeticWiper designed to wipe a computer’s hard disk data\r\nand destroy the Master Boot Record and partitions, making any impacted machines inoperable. \r\nWhat is HermeticWiper  \r\nHermeticWiper makes use of a driver belonging to an outdated version of EaseUS Partition Master application,\r\ndeveloped by CHENGDU YIWO Tech Development. The attackers used a benign, digitally signed kernel driver to\r\nevade detection while utilizing the driver's ability to interact with storage devices and acquire low-level disk\r\naccess for retrieving partition information, corrupting the device’s disks. \r\nWhile the driver is digitally signed by ‘Hermetica Digital Ltd’ (hence the wiper name), the certificate is now\r\nrevoked.  \r\nFigure1 – left – EaseUS invalid signed driver; right – HermeticWiper signed certificate\r\nFigure1 – left – EaseUS invalid signed driver; right – HermeticWiper signed certificate\r\nThe malware stores 32-bit and 64-bit versions of the driver in MS-compressed copies within its resource section,\r\ndeploying it according to the operating system version. Forensic analysis reveals that the malware has several\r\nvariants, one with a timestamp dating to December 2021, indicating the attack has been 'in progress’ for quite\r\nsome time. \r\nWe've observed several attacks which precede the execution of the wiper. In one case, the attackers exploited a\r\nknown vulnerability in Microsoft SQL Server (CVE-2021-1636) to gain a foothold in one of the Ukrainian\r\norganizations. In a separate case, the attackers gained access to the network via malicious SMB activity against a\r\nMicrosoft Exchange Server, which led to credential theft, and later to the deployment of the wiper. Several other\r\nhttps://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war\r\nPage 1 of 4\n\nmethods were also employed, including the Apache Tomcat vulnerability, which allowed the attackers to run\r\nPowerShell commands, dump credentials, and execute the malware. \r\nWhen executed, HermeticWiper will first gain higher privileges by utilizing Access Token Manipulation [T1134]\r\nand then obtain \"SeBackupPrivilege\" (which allows it to retrieve any file content) and \"SeLoadDriverPrivilege\"\r\n(which allows it to load/unload any driver). As we previously mentioned, HermeticWiper uses EaseUS signed\r\ndriver in order to manipulate the disk. \r\nNext, HermeticWiper will disable Volume Shadow Service (vss) and disable crash dumps by modifying specific\r\nregistry keys, ensuring that no backups will be available and covering its tracks. \r\nIt will then enumerate the system’s physical drives. For each, it will then corrupt the first 512 bytes and destroy\r\nthe Master Boot Record (MBR). \r\nWhile this should be enough to make any computer inoperable, HermeticWiper doesn't stop there. It next checks\r\nfor NTFS or FAT file systems and corrupts them, ensuring that systems with both MBR and GPT drives are\r\ncompromised. The Wiper will then force system shutdown to complete the wiping operation. \r\nSimilar to the previous WhisperGate attack, where the wiper was disguised as ransomware, the attackers appear to\r\nbe using PartyTicket ransomware as a decoy in addition to the HermeticWiper malware to distract from the wiper\r\nattacks.\r\nRussia-Ukraine Cyber Warfare \r\nAs we mention above, Russia started its cyberattack campaign long before the armed forces invasion. However,\r\nafter the HermeticWiper attack began on February 23 we’ve seen a surge in cyber warfare between the two\r\ncountries. \r\nHere is the timeline of the major events: \r\nIOCs \r\nContext  sha256 \r\nEaseUS driver  e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \r\nEaseUS driver  b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \r\nEaseUS driver  b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \r\nhttps://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war\r\nPage 2 of 4\n\nEaseUS driver  fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \r\nEaseUS driver  96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 \r\nEaseUS driver  8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b \r\nEaseUS driver  23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4 \r\nEaseUS driver  2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d \r\nHermeticWiper  1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591  \r\nHermeticWiper  0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \r\nHermeticWiper  ca3c4cd3c2edc816c1130e6cac9bdd08f83aef0b8e6f3d09c2172c854fab125f \r\nHermeticWiper  2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \r\nHermeticWiper  3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \r\nPartyTicket  4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \r\nPredictions and guidance \r\nThe ongoing Russian-Ukrainian conflict is already causing a significant escalation in the quantity and scope of\r\nattacks from many, disparate parties. Elevated activity is being seen from state-sponsored groups, non-state-sponsored actors, and by independent hacktivists like the Anonymous group.  \r\nThe unprecedented raft of sanctions enacted against Russia may invoke further retaliation and response in the\r\nform of cyberattacks by Russian-based organized cybercrime groups and state-sponsored or contracted actors. We\r\nhave already seen several cyber gangs supporting Russia threaten to use their resources to strike back against\r\nnations and organizations that may coordinate cyberattacks against Russia.  \r\nhttps://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war\r\nPage 3 of 4\n\nWe estimate the ongoing physical conflict escalation combined with the new sanctions will lead to a higher risk\r\nprofile; this will be heightened for sectors associated with sanctions and have high economic or national security\r\nvalue. These may include financial services, aviation and aerospace, energy, and critical infrastructure.   \r\nFollowing are some key points to consider or act upon given the changes in the risk profile:  \r\nThreat actors are targeting organizations with phishing attempts related to the conflict. Security staff should\r\nremind or re-educate employees to minimize successful social engineering attempts.\r\nEvery application in the organization can be a potential backdoor to the organization. These applications\r\nneed to be updated frequently with the latest security patches. Organizations should apply a strict\r\napplication control policy while limiting applications which are not critical to their business.\r\nScripts are a powerful execution mechanism. There are entire industries (healthcare, for example) where\r\nmost users in the organization have no need to execute scripts. Security staff should restrict scripts\r\nexecution based on a user’s roles and devices.\r\nTo ensure increased visibility, it is recommended to configure or enable additional layers of logging when\r\nand where available.\r\nIncident response requires considerable time and resources. The initial response of the security staff to a\r\npossible threat can make a huge difference in the overall impact of the attack impact. Trained security staff\r\nwith a dedicated playbook for incident response scenarios should prevent additional infection and lateral\r\nmovement inside the organization.\r\nIn order to be as evasive as possible threat actors have learned to live-off-the-land. With the use of\r\nPowerShell and other libraries in the operating system, bad actors can stay under the radar. SOC operators\r\nshould be extremely attentive to potential LOLbins attacks.\r\nProtection from HermeticWiper with Deep Instinct \r\nDeep Instinct prevents HermeticWiper and PartyTicket statically prior to execution, stopping it before it can\r\ndeploy. \r\nIf you’d like to learn more, please request a demo. \r\nSource: https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war\r\nhttps://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war"
	],
	"report_names": [
		"hermeticwiper-malware-the-russian-ukrainian-cyber-war"
	],
	"threat_actors": [],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8c88b2c88c8630a4eba39b61e0eb3a5ac0e43db.pdf",
		"text": "https://archive.orkl.eu/e8c88b2c88c8630a4eba39b61e0eb3a5ac0e43db.txt",
		"img": "https://archive.orkl.eu/e8c88b2c88c8630a4eba39b61e0eb3a5ac0e43db.jpg"
	}
}