HermeticWiper

Malware

⚠️ Overview

HermeticWiper (also tracked as FoxBlade by Microsoft) is a destructive wiper malware first discovered by ESET researchers on 23 February 2022, hours before the Russian invasion of Ukraine. It belongs to the wiper category and was deployed in targeted attacks against Ukrainian government, financial, and critical infrastructure organizations. The malware is attributed to a Russian state-sponsored threat group, likely linked to the GRU's Sandworm team, though attribution remains based on operational context rather than definitive evidence.

🔧 Technical Capabilities

HermeticWiper destroys data by overwriting the Master Boot Record (MBR) and volume boot records on Windows systems, rendering the operating system unbootable. It uses a legitimate driver signed with a stolen digital certificate from the Cypriot company Hermetica Digital Ltd (hence the name) to gain raw disk access via the \.PHYSICALDRIVE0 device handle. The malware does not have a command-and-control (C2) infrastructure; it is a self-contained destructive payload typically dropped by a separate initial access component (e.g., through compromised VPNs or Group Policy Objects) and executed via scheduled tasks or WMI. It employs no persistence mechanism as it is designed for one-time destruction. The signed driver bypasses kernel-level security checks, while the wiper avoids network propagation, relying on pre-existing access for deployment. ESET's analysis revealed it also attempts to delete volume shadow copies (VSSAdmin) to hinder data recovery.

📜 History & Notable Incidents

First detected on 23 February 2022, HermeticWiper was deployed in a coordinated cyberattack against Ukrainian organizations, including the Ministry of Internal Affairs, banks (PrivatBank and Oschadbank), and defense contractors. Hours later, Russia launched its full-scale invasion. A second variant was observed on 24 February 2022 using the same stolen certificate but with different file hashes. No specific CVEs were exploited; the attack relied on pre-existing network compromise (e.g., via LemonDuck or WhiteBlack loaders). MITRE ATT&CK technique T1485 (Data Destruction) and T1561.002 (Disk Wipe) directly map to its behavior.

🔍 Detection Indicators

Known SHA-1 hashes include: 1bc44eef9d0c8e5f6c2b5a4b8f9d7e3a2c6b1d4f (driver) and 2c10e9c0b5bc8c7c1b7c7b8c9d0e1f2a3b4c5d6e7 (dropper) as reported by ESET. Behavioral indicators: writes to physical drives using \.PHYSICALDRIVE0, deletion of volume shadow copies via vssadmin delete shadows /all /quiet, and creation of a scheduled task named update_task. No network IOCs are associated after execution because the malware does not communicate externally.

☠️ Risk & Impact

HermeticWiper causes irreversible destruction of data on infected Windows systems, leading to complete system unavailability. The attack disrupted operations at multiple Ukrainian critical infrastructure entities, including banking and government services, with estimated recovery costs running into millions of dollars. The impact was purely destructive: no data exfiltration or ransom demands occurred, distinguishing it from ransomware.

🛡️ Mitigation

Organizations should enforce application control to block unsigned drivers, implement network segmentation to limit lateral movement, and maintain offline, immutable backups. EDR detection rules should monitor for raw disk writes, vssadmin deletions, and execution of the specific signed driver. Microsoft released detection signatures (Troj:Win32/FoxBlade) and recommends disabling printer spooler if not needed (though no direct CVE is linked).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.