What is HermeticWiper?

HermeticWiper is a disk-wiping malware that destroys hard disk data, the Master Boot Record, and partitions, which renders a victim PC useless.

How was it discovered?

Just before the land invasion by Russian forces into the Ukraine in February 2022, Ukrainian government and civilian organizations were hit by HermeticWiper, with the intent to disable as many systems as possible and gain a technological advantage during the attack.

How does it work?

HermeticWiper makes use of the driver from a disk partition manager software, EaseUS Partition Master, to do its dirty work. It gets its name from the signer of the digital certificate, Hermetica Digital Ltd. Because the driver was digitally signed (its certificate has since been revoked for obvious reasons), it was allowed kernel access legitimately by Windows, making the attack very evasive to existing security tools.

Using this digitally signed driver from a legitimate program, HermeticWiper accesses the Master Boot Record, enumerates the partitions, then corrupts them making them unusable. It also disables Shadow Copy and crash dumps, preventing the use of backups to restore the corrupted disk partitions.

The Deep Instinct Prevention platform helps protect organizations against this and other known and unknown attacks without the need for constant updates and cloud intelligence because of the superiority of the Deep Learning static analysis engine. Both known and unknown threats are prevented in <20ms with a false positive rate of <0.1%.

Further Reading