The data-wiping malware used in attacks on Ukrainian networks on Wednesday before Russia’s invasion of Ukraine early on Thursday was, in some cases, accompanied by a Golang-based ransomware decoy.
“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware,” Symantec said on Thursday.
“It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks. This has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware.”
The ransomware decoy also included a ransom note on compromised systems, with a political message stating that, “The only thing that we learn from new elections is we learned nothing from the old!”
The ransom note also instructs victims to reach out to two email addresses in order to retrieve their files.
The wiper, called HermeticWiper by SentinelOne researcher J. A. Guerrero-Saade, was deployed in Wednesday’s attacks targeting Ukrainian organizations, and it also ended up on systems outside Ukraine’s borders.
Targets that fell victim to wiper attacks also included finance and government contractors from Ukraine, Latvia, and Lithuania, according to Vikram Thakur, Technical Director at Symantec Threat Intelligence.
Although the cyberattacks occurred on Wednesday, cybersecurity firm ESET noted that the HermeticWiper malware had a compilation date of Dec. 28, 2021. This indicates that these attacks might have been planned.
Symantec found evidence of attackers gaining access to victims’ networks beforehand by exploiting Microsoft Exchange vulnerabilities in November and installing web shells before deploying the wiper malware.
For example, “An organization in Lithuania was compromised from at least November 12, 2021, onwards,” Symantec said.
This was the second data wiper used against Ukrainian networks since the beginning of 2022. Microsoft disclosed in January a destructive data-wiping malware called WhisperGate that was also disguised as malware and used in attacks against Ukrainian organizations.
Wednesday’s malware attacks occurred together with DDoS attacks against Ukrainian government agencies and state-owned banks, similar to the one deployed on Feb. 16, which impacted Ukrainian government websites and banks.
While these most recent attacks have not yet been attributed, the White House linked last week’s DDoS attacks to Russia’s Main Directorate of the General Staff of the Armed Forces.