Researchers at cybersecurity firms ESET and Symantec have found a new data wiping malware that has infected hundreds of computers on Ukrainian networks just as Russia’s troops invaded Ukraine (on February 24). The report comes after the country was hit by another wave of DDoS attacks targeting the websites of several of Ukrainian government agencies, including the Ministries of Foreign Affairs, Defense, and Internal Affairs, the Security Service, and the Cabinet of Ministers, and of the two largest state-owned banks, Privatbank and Oschadbank.

According to ESET, the malware, tracked as Win32/KillDisk.NCV and HermeticWiper, was detected on February 23 on hundreds of computers on Ukrainian networks. However, the PE compilation timestamp (2021-12-28) of one of the samples suggests that the attack have been in the works for some time.

The malware targets legitimate drivers from the EaseUS Partition Master software to corrupt data. The malware also would trash the device’s Master Boot Record making the device unbootable. According to ESET, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd.

According to Symantec’s threat intelligence team, they also found evidence of wiper attacks against machines in Latvia and Lithuania. Targets included entities in the financial, defense, aviation, and IT services sectors.

The researchers said that in some cases the wiper was accompanied by a GoLang-based ransomware decoy likely used as distraction to disguise wiper attacks.

Cybersecurity Help’s statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. Stop war!