Cybersecurity researchers at the Microsoft Threat Intelligence Center (MSTIC) noted that companies across Ukraine and Poland were hit by two separate attacks: one that deployed a disk cleaning program called HermeticWiper and the other a ransomware called Prestige.
“Despite using similar deployment methods, [Prestige] campaign differs from recent destructive attacks using […] Foxblade (HermeticWiper), which over the past two weeks have affected many critical infrastructure organizations in Ukraine,” the researchers explained.
“MSTIC is not linking it yet ransomware (opens in a new tab) is campaigning on a known threat group and continuing to investigate.”
Links to Russia
In some cases, the victim companies overlap, but Microsoft researchers are not yet convinced that they are all the work of the same threat actor.
Microsoft is currently tracking the group(s) as DEV-0960, a common label for threat actors whose identities have not yet been disclosed.
However, there is circumstantial evidence that the attackers have ties to the Kremlin, as HermeticWiper was first spotted in the wild a day before the invasion of Ukraine and against Ukrainian organizations.
Researchers don’t really know how the attackers managed to compromise the target networks or whether malware was included. They know they used two remote execution tools (RemoteExec and Impacket WMIexec) to monitor the compromised endpoints.
“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a constant theme,” Microsoft further stated. “Ransomware and wiper attacks rely on many of the same security flaws to succeed.”
Endpoint Security Solutions and anti-ransomware software may provide some damage limitation from this new threat.
Via: Register (opens in a new tab)
https://www.techradar.com/news/hermeticwiper-malware-victims-are-reporting-ransomware-attacks-too/