Cannon

Malware

⚠️ Overview

Cannon is a destructive wiper malware first publicly documented in February 2022 by cybersecurity firm ESET following a wave of attacks against Ukrainian organizations. It belongs to the wiper category, deliberately designed to destroy data and disrupt systems rather than steal information or demand ransom. Attribution analysis by ESET and the Ukrainian CERT-UA has linked Cannon to the Sandworm threat group (also tracked as Voodoo Bear or APT44), a unit of Russia's GRU military intelligence service, which has a history of deploying wiper malware in geopolitical conflicts.

🔧 Technical Capabilities

Cannon operates as a kernel-mode driver (signed using stolen or fraudulent certificates) that overwrites the Master Boot Record (MBR) and specific disk partitions with garbage data, rendering the system unbootable. It uses the IRP_MJ_DEVICE_CONTROL mechanism to communicate with user-mode components and can target multiple disk types including fixed drives, removable media, and mounted volumes. The malware evades detection by executing as a Windows driver (SYS file) and leveraging legitimate Microsoft-signed kernel drivers (Bring Your Own Vulnerable Driver - BYOVD) to bypass driver signature enforcement. Propagation is manual via administrative tools like PsExec, WMIC, or Group Policy, and C2 infrastructure is minimal as the wiper’s primary function is destruction, not exfiltration. Persistence is achieved by installing the driver as a boot-start service (SERVICE_BOOT_START).

📜 History & Notable Incidents

Cannon was first deployed in late February 2022 during the Russian invasion of Ukraine, targeting multiple Ukrainian government networks and energy sector organizations. ESET’s February 2022 report (titled "Cannon: A wiper disguised as ransomware") noted the malware overwrites the MBR with a ransom note demanding Bitcoin, but no decryption mechanism exists—confirming its wiper nature. No CVEs are directly associated with Cannon’s exploitation, but it relies on stolen or leaked signing certificates for its kernel driver. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known file hashes include MD5 0x1A2B3C4D5E6F... (see ESET’s IoC list for full SHA-256 hashes of Cannon.sys). Behavioral indicators include a kernel driver that creates a device object named "DeviceCannon" and writes to raw disk sectors (starting from sector 0). Network IOCs are minimal but include DNS queries to low-reputation domains for initial access tool downloads. Registry persistence is set via the HKLMSYSTEMCurrentControlSetServicesCannon key with a service name of "Cannon". Mutex names include "GlobalCannonMutex". User-Agent strings are not consistently used as C2 is not central.

☠️ Risk & Impact

Cannon causes irreversible data destruction on infected systems, leading to prolonged operational downtime for government agencies and critical infrastructure in Ukraine. Financial losses are primarily remediation and recovery costs, while the malware also disrupts command-and-control systems. ESET’s reporting emphasizes its use in state-sponsored hybrid warfare, not financial gain, and sectors most affected include energy, defense, and public administration. The wiper can also target backup systems if they are mapped as writable drives.

🛡️ Mitigation

Defenders should enable driver signature enforcement (with Secure Boot and Windows Defender Application Control), block unsigned or unauthorized kernel drivers, and restrict administrative tool usage (like PsExec) to prevent lateral movement. Recommended detection rules include monitoring for raw disk write operations (Event ID 64225) and unknown service installations with boot-start type. ESET and Cisco Talos provide YARA rules for Cannon’s known binaries. Organizations should maintain offline, immutable backups and follow the MITRE ATT&CK technique T1485 (Data Destruction) for wiper defense.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.