A new form of malware is reportedly being deployed by Russia against Ukraine.

The malware, known as HermeticWiper and WhisperGate, represents an escalation in how malware is deployed.

According to an Avanan security analysis, the malware masquerades as ransomware, showing the victims that their files have been encrypted. There’s also a political message at the top.

Unlike the typical ransomware attack, however, there is no mechanism for recovery. The hermetic wiper renders systems inoperable by corrupting the master boot record (MBR).

Here’s what the message looks like:

 

Further, there’s a malware icon, which shows itself as a present.  This is a telltale sign your computer is about to lose its data.

 

 

The malware works on 32- or 64-bit versions of Windows. It will disable the crash message, which makes it a lot harder to find the root cause. It will disable shadow copies so the admin can’t recover. Once the malware has finished encrypting all the files, not only are the files encrypted, but the system will no longer work. There appears to be no mechanism for recovering the files.

 

As CISA notes:

Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. 

 

Since the malware has now been documented widely, the file itself will be fairly easily discovered by most systems, as shown by VirusTotal:

 

Because of that, it’s our belief that this could be sent via the cloud suite. Beyond that, it could be configured to detonate after clicking.

That means the file will appear in email as benign and could then bypass scanners. When clicked, however, they will be activated. That’s why URL rewriting, along with time-of-click analysis, is so important.

We may also see this come as an encrypted attachment. In this type of attack, the email will appear legitimate and the password is included in the email body. The malware is only activated when the user decrypts the attachment by using the password and then launches the file. Avanan can automatically block all emails with encrypted attachments.

Evasion is the name of the game, and it’s only more critical as malware like this one gets discovered and reported on. If threat actors can send and execute this malware in an otherwise innocent-looking email, or even in a Teams chat, it will be much less likely to be detected by traditional antivirus tools.

Incorporating full-suite security is essential, as well as being able to fight through the evasion and understand exactly what’s going on. 

Subscribe to Our Attack Briefs for More Research