What are HermeticWiper & IsaacWiper?

by Excellium SA

What are HermeticWiper & IsaacWiper?

by Excellium SA

by Excellium SA

Imagine waking up one day to find that all your important data, such as photos and documents, has been erased with no way to restore them. A scary thought, right? As technology evolves, so does the way we store valuable data. Let’s face it, users do not keep a hard copy of every photo or document they have on their computer. With their busy daily routines, people are so used to storing data on electronic devices for quick access.

The problem is that few users are in the habit of keeping backups, especially on a separate device such as a portable hard drive or USB stick. By not preparing for the worst, they become the perfect victims of a Wiper malware attack.

What is a wiper?

A wiper is a type of malware whose purpose is to wipe data from the infected computer’s hard drive.

A wiper attack involves wiping, overwriting or deleting the victim’s data. Unlike typical cyberattacks, which tend to be profit-oriented, wiper attacks are destructive in nature and often do not involve a ransom demand.

As an example of a wiper, below is the message displayed by the NotPetya wiper. NotPetya is a wiper malware but appears as ransomware by displaying a ransom note on the infected computer’s screen.

message displayed by the NotPetya wiper

NotPetya Message

Some backgrounds

Wiper’s first appearance is attributed to a threat called Narilam, which caused problems in 2008-2009 by targeting Iranian commercial and financial software.

Groovemonitor is the name of a wiper attack against Iran in 2012. What is curious about this malware is that it did not write data to specific data intervals to cause destruction. Instead, Groovemonitor’s targets were certain files created on specific dates.

As its name suggests, Dark Seoul is a wiper focused on targeting South Korea. The threat became notorious in 2013 with its attacks on media and banks.

On November 24, 2014, a malicious wiper attack against Sony Pictures made headlines. The attack came in response to the rather unflattering depiction of North Korean leader Kim Jong-un in the movie “The Interview.”


HermeticWiper/IsaacWiper by ESET

What makes HermeticWiper special is that it is a latent virus. It could have been implanted in information systems for years, well hidden, before being remotely activated by hackers. When searching its source code, specialists realized that it was created on December 28, 2021, and finally appeared on the Ukrainian scene only a few weeks ago.

This malware, obviously distributed by Group Policy Object (GPO) and thus aiming at compromising the victim’s computer system, hijacks a legitimate disk partitioning driver to corrupt system partitions, resulting in the loss of data on a machine (server or workstation). The objective of the attack is clear and unique: the destruction of data.

Result after the attack HermeticWiper.

The result after the attack HermeticWiper. Source: Zscaler

ESET researchers have discovered several families of malware targeting Ukrainian organizations.

  • A destructive campaign using HermeticWiper targeted several Ukrainian organizations on February 23, 2022.
  • The initial access vectors varied from organization to organization. ESET researchers confirmed a case where the wiper was dropped by GPO, and discovered a worm used to spread the wiper into another compromised network.
  • A second destructive attack against a Ukrainian government network began, using a wiper named IsaacWiper, on February 24, 2022.

ESET researchers defined that these destructive attacks exploited at least three components:

HermeticWiper was observed on hundreds of systems in at least five Ukrainian organizations.

Another new wiper was detected in a Ukrainian government network on February 24, 2022. It was named IsaacWiper. Currently, a study is underway to try to find links between HermeticWiper and IsaacWiper. It is important to note that IsaacWiper was observed in an organization that was not affected by HermeticWiper.


In short

To conclude here are some points to protect yourself against Wipers:

  • Up to date

Malware threats are constantly evolving and changing from day to day. Therefore, malware protection and security must always be up to date.

  • Security Awareness

Informed users can be the best form of defense against cyberattacks. Employees are the weakest link in any organization, so education about phishing scams, URL anomalies, strange attachments and other attack vectors is essential.

  • Backup

The difference between a major event and a minor inconvenience is a solid disaster recovery strategy. A solid disaster recovery plan can minimize both data loss and downtime. By configuring robust backups, data deduplication and virtual desktop infrastructure, you can recover your data even after a major wipe attack or any malware attack for that matter.

  • Operating system and software patching

Most operating system (OS) updates are security-related, not just feature-related. These patches provide the required protection against vulnerabilities identified in a version of the operating system or software.

  • Monitoring

While performing its harmful actions, Wiper modifies the system. Monitoring the changes can greatly improve detection efforts.

Did you like this article? Find even more articles in our blog.


Credit: Alaaedine Chatri