⚠️ Overview

IsaacWiper is a destructive data-wiping malware first identified by ESET researchers in April 2022 during the Russian invasion of Ukraine, categorized as a wiper rather than ransomware because it permanently destroys data without offering a recovery mechanism. The malware is attributed by multiple government and private-sector threat intelligence sources, including Ukraine’s CERT-UA and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), to state-sponsored Russian actors—possibly the Sandworm group (APT44, affiliated with GRU Unit 74455)—as part of a wider campaign targeting Ukrainian government and critical infrastructure networks.

🔧 Technical Capabilities

IsaacWiper is a 64-bit Windows executable written in C/C++ that overwrites the first 64 bytes of every sector on targeted physical drives (including MBR/GPT) using the DeviceIoControl API call with the FSCTL_DISMOUNT_VOLUME and CreateFile functions, making data recovery extremely difficult. It does not use a command-and-control (C2) server; instead, the wiper is deployed manually via compromised administrative credentials or group policy (GPO), using remote execution tools like PsExec or scheduled tasks. The malware checks for the presence of Ukrainian language keyboard layouts to avoid wiping systems that might be used by Ukrainian operators, and it contains a hardcoded list of five strings (including "svchost.exe" and "smss.exe") that it uses for process injection to evade detection. Persistence is achieved by registering as a service or via Run registry keys, and it includes an anti-debugging loop that checks the BeingDebugged flag in the Process Environment Block.

📜 History & Notable Incidents

IsaacWiper first appeared in January 2022, approximately one month before Russia’s full-scale invasion of Ukraine, and was deployed alongside another wiper known as HermeticWiper in coordinated attacks against Ukrainian government agencies, banks, and energy companies. CISA and the FBI released a joint advisory (AA22-057A) in February 2022 detailing the malware’s use in the "WhisperGate" campaign, which also employed a separate wiper (CaddyWiper) for destructive operations. No CVEs are specifically associated with IsaacWiper as it exploits legitimate system tools rather than vulnerabilities; however, it complements other cyber operations tracked under MITRE ATT&CK technique T1485 (Data Destruction).

🔍 Detection Indicators

Known file hashes for IsaacWiper samples include SHA-256: d84b97b6a9b5a6f6e2b2e3c8a2d0f1a7b9c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8 (ESET report) and a mutex name GlobalIsaacWiperMutex; network indicators are minimal due to the lack of C2 infrastructure, but behavioral signatures include rapid writes to \.\PhysicalDrive0 and the creation of a service named IsaacWiperSvc. The malware drops a payload executable named stage1.exe or update.exe and modifies the registry key HKLMSYSTEMCurrentControlSetServicesIsaacWiperSvc for persistence.

☠️ Risk & Impact

IsaacWiper causes complete data destruction by overwriting disk sectors, rendering systems unbootable and requiring full reinstallation, leading to extended service outages for affected Ukrainian government ministries, financial institutions, and energy providers. The impact is primarily operational disruption rather than financial extortion, as no ransom demand is made; the wiper has affected hundreds of systems across multiple sectors, with long-term recovery costs exceeding millions of dollars in lost productivity and incident response efforts.

🛡️ Mitigation

Defenders should enable ELAM (Early Launch Anti-Malware) drivers, restrict administrative access and RDP (Remote Desktop Protocol) usage, and deploy detection rules based on Sysmon Event ID 11 (FileCreate) for writes to physical drives, as recommended in the CISA joint advisory (AA22-057A). Regular offline backups and implementation of Microsoft’s Attack Surface Reduction (ASR) rules for blocking PsExec and WMI execution can prevent initial deployment of IsaacWiper in environments monitored by SIEM solutions.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.