{
	"id": "d38a3cb1-0c9f-4cab-9bb1-085570db1954",
	"created_at": "2026-04-06T01:31:24.031527Z",
	"updated_at": "2026-04-10T13:12:37.673971Z",
	"deleted_at": null,
	"sha1_hash": "ef94a35ba0f6247160298dde50d06944adcbac5a",
	"title": "CrowdStrike Protects from Wiper Malware Used in Ukraine Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 867508,
	"plain_text": "CrowdStrike Protects from Wiper Malware Used in Ukraine\r\nAttacks\r\nBy William Thomas - Adrian Liviu Arsene - Farid Hendi\r\nArchived: 2026-04-06 00:49:30 UTC\r\nOn Feb. 23, 2022, a new wiper malware was reported targeting Ukraine systems\r\nThe wiper destroys files on infected Windows devices by corrupting specific elements of connected hard\r\ndrives\r\nCrowdStrike Intelligence refers to this destructive malware as DriveSlayer\r\nDriveSlayer is the second recent destructive malware targeting Ukraine, following WhisperGate\r\nThe CrowdStrike Falcon®® platform provides continuous protection from DriveSlayer and wiper-style\r\nthreats by offering real-time visibility across workloads\r\nOn Feb. 23, 2022, a new wiper malware was reported publicly as affecting Ukrainian-based systems. Following a\r\nseries of denial-of-service attacks and website defacements, the new destructive malware corrupts the master boot\r\nrecord (MBR), partition and file system of all available physical drives on Windows machines.\r\nCrowdStrike Intelligence refers to this new destructive malware as DriveSlayer, and it’s the second wiper to affect\r\nUkraine following the recent WhisperGate. DriveSlayer is digitally signed using a valid certificate and also abuses\r\na legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system\r\ninoperable.\r\nThe CrowdStrike Falcon® platform provides continuous protection against DriveSlayer and wiper-style threats by\r\ndelivering real-time visibility across workloads to protect customers.\r\nTechnical Analysis\r\nUnlike WhisperGate, which uses higher-level API calls, DriveSlayer uses raw disk access to destroy data.\r\nUpon initialization, two optional command-line parameters may be used to specify how long the malware will\r\nsleep before destruction begins and the system is restarted. If none are specified it will default to 20 and 35\r\nminutes, respectively.\r\nNext, the malware will ensure it has the proper privileges to perform its actions. It uses the API\r\nAdjustTokenPrivileges to give itself the following privileges: SeShutdownPrivilege , SeBackupPrivilege\r\nand SeLoadDriverPrivilege .\r\nPrivilege Name Description\r\nSeShutdownPrivilege Provides the ability to shut down a local system\r\nSeBackupPrivilege Provides the ability to perform system backup operations\r\nhttps://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nPage 1 of 5\n\nSeLoadDriverPrivilege Provides the ability to load or unload a device driver\r\nDifferent drivers will be loaded based on the system version. The malware uses IsWow64Process to determine\r\nwhich driver version to load. These drivers are stored in the resource section of the binary and are compressed\r\nwith the Lempel-Ziv algorithm. The driver file is written to system32\\drivers with a 4-character, pseudo-randomly\r\ngenerated name. This file is then decompressed using LZCopy to a new file with a “.sys” extension.\r\nExample File Name Description\r\nC:\\Windows\\System32\\drivers\\bpdr Lempel-Ziv compressed driver\r\nC:\\Windows\\System32\\drivers\\bpdr.sys Decompressed driver\r\nBefore the driver is loaded, the malware disables crash dump by setting the following registry key:\r\nRegistry Value Description\r\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled 0\r\nDisables crash\r\ndump\r\nTo load the driver, a new service is created using the API CreateServiceW . The name and display name for this\r\nservice is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to\r\nensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire\r\nregistry key.\r\nAfter the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a\r\nnumber of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time\r\nspecified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to\r\nInitializeSystemShutdownExW .\r\nAnother thread disables features in the UI that could alert the user of suspicious activity occurring on the system\r\nbefore iterating through attached drives.\r\nRegistry Value Description\r\nHKU\\Software\\Microsoft\\Windows\\CurrentVersion\\\r\nExplorer\\Advanced\\ShowCompColor\r\n0\r\nDisables colors for\r\ncompressed and encrypted\r\nNTFS files\r\nHKU\\Software\\Microsoft\\Windows\\CurrentVersion\\\r\nExplorer\\Advanced\\ShowInfoTip\r\n0\r\nDisables pop-up information\r\nabout folders and desktop\r\nitems\r\nFinally, the malware begins its destructive routine by spawning multiple additional threads that overwrite the files\r\non disk and destroy the partition tables. Once the system is rebooted, the user will see a blank screen with the\r\nhttps://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nPage 2 of 5\n\nwords “Missing operating system.”\r\nThe Falcon Platform’s Continuous Monitoring and Visibility Stop Destructive\r\nMalware\r\nThe Falcon platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine\r\nlearning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques\r\nand procedures (TTPs) employed by threats and threat actors, the Falcon platform enables visibility, threat\r\ndetection and continuous monitoring for any environment, reducing time to detect and mitigate threats including\r\ndestructive malware.\r\nAs shown in Figure 1, the Falcon platform uses cloud-based machine learning to detect DriveSlayer and prevent\r\nthe malware from performing additional malicious actions, such as loading additional components.\r\nFigure 1. The Falcon platform’s cloud-based machine learning detects DriveSlayer wiper (Click to enlarge)\r\nThe Falcon platform’s behavior-based IOAs can detect and prevent suspicious processes from executing or\r\nloading additional components, as well as other behaviors that indicate malicious intent. For example, Falcon\r\ndetects and prevents DriveSlayer behavior such as tampering with specific registry keys. The behavior-based\r\ndetection is further layered with a traditional indicator of compromise (IOC)-based hash detection (see Figure 2).\r\nhttps://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nPage 3 of 5\n\nFigure 2. CrowdStrike Falcon® detects and prevents DriveSlayer destructive behavior (Click to enlarge)\r\nBecause DriveSlayer has no built-in propagation methods for spreading across infrastructures, and because reports\r\nof it being used to target Ukraine have so far been limited, the risk of organizations encountering this data-wiping\r\nthreat may be low at present. CrowdStrike will continue to monitor and report on the situation as it unfolds.\r\nCrowdStrike Falcon® customers can proactively monitor their environments by using hunting queries to reveal\r\nindicators of DriveSlayer’s presence. Read our summary on DriveSlayer, and how to hunt for it in our Support\r\nPortal.\r\nCompanies facing cyber incident risks, including data-wiping threats, are encouraged to take steps to increase\r\ntheir operational resilience. Security solutions that can protect them from malware and other threats must provide\r\nvisibility into their environments and intelligent monitoring of cloud resources to help detect and respond to\r\npotential threats — including destructive threats — and limit potential damages.\r\nNote: More detailed intelligence and technical information about DriveSlayer is available to CrowdStrike\r\ncustomers through the Falcon console and Support Portal.\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nDriveSlayer 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\nAdditional Resources\r\nRead more about successive use of offensive cyber operations against Ukraine: Lessons Learned From\r\nSuccessive Use of Offensive Cyber Operations Against Ukraine and What May Be Next.\r\nLearn more about WhisperGate in this CrowdStrike Intelligence blog: Technical Analysis of the\r\nWhisperGate Malicious Bootloader.\r\nhttps://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nPage 4 of 5\n\nLearn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nFollow all related content in Trending Threats \u0026 Vulnerabilities: New Wiper used in Ukraine Cyberattacks.\r\nSource: https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nhttps://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/"
	],
	"report_names": [
		"how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775439084,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef94a35ba0f6247160298dde50d06944adcbac5a.pdf",
		"text": "https://archive.orkl.eu/ef94a35ba0f6247160298dde50d06944adcbac5a.txt",
		"img": "https://archive.orkl.eu/ef94a35ba0f6247160298dde50d06944adcbac5a.jpg"
	}
}