Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware

Mayuresh Dani

Last updated on: December 22, 2022

The Ukrainian Government has been targeted by HermeticWiper, a new ransomware-like data wiper. Its aim is not simply to encrypt the victim’s data, but rather to render a system essentially unusable. In this blog, our Research Team details our analysis of how this aggressive new malware works.

The origin of HermeticWiper seems to be closely connected to the start of the Russia/Ukraine conflict. HermeticWiper is a new ransomware-like data wiper that was deployed beginning February 23, 2022. Based on multiple intelligence reports, the wiper-ware is preceded by exploits that aid in malware deployment or multiple distributed denial-of-service attacks to shut down protective services. Attacks have been observed against hundreds of Ukrainian websites related to the local government. Discovered mere hours before Russian troops rolled into Ukraine, the cyberattack is widely seen as the opening salvo of Moscow’s invasion. As of this writing, HermeticWiper activity has since been found in Latvia and Lithuania.

The primary objective of the HermeticWiper is to destroy the master boot record (MBR) of a system, shredding data and rendering the system unusable.

Portable Executable Details of HermeticWiper

The file that we analyzed has a timestamp of “2021-12-28”. This wiper-ware got its name because the attackers used a code-signing certificate issued to “Hermetica Digital Ltd.” This traces back to a small videogame design business based in Cyprus with no links to Russia that claims it never applied for a digital certificate, pointing to possible identity theft. Operating systems use code-signing as an initial check on software, so it may have been designed to help the rogue program dodge anti-virus protections.

The sample we analyzed presented the following details:

Another quirk that we noticed from most of the HermeticWiper samples was the use of the “gift” icon.

Whether this was a sick joke on the part of the attackers, or merely use of a commonly observed Visual Studio icon – we will never know.

Technical Details of HermeticWiper

HermeticWiper itself is just 115kbs and comes packed with drivers, which are extracted depending on the operating system. These drivers are compressed in “SZDD” format as can be seen here:

As the names suggest, drivers are dropped after meeting the operating system criteria:

  1. DRV_X64: Windows 7+ 64-bits
  2. DRV_X86: Windows 7+ 32-bits
  3. DRV_XP_X64: Windows XP 64-bits
  4. DRV_XP_X32: Windows XP 32-bits

Interestingly, the sample that we analyzed made use of an expired certificate from the “CHENGDU YIWO Tech Development Co. Ltd.” A basic Google search reveals that this is a professional data recovery and data security company based in Sichuan, China. This certificate appears to be legitimate.

Other researchers have found similar drivers from EaseUS Partition Manager. A search for that company name comes up with more details on the Chengdu YIWO Tech and EaseUS relationship:

This driver does the heavy lifting of causing harm to your system. This is a known technique and has been used a couple of times by well-known Advanced Persistent Threat groups.


Watch out for processes executing drivers or dynamic link libraries with expired certificates.

Post execution, HermeticWiper gains the following privileges:

  1. SeBackupPrivilege
  2. SeDebugPrivilege
  3. SeLoadDriverPrivilege

Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed – is stopped.


  1. Watch out for processes gaining unnecessary and sensitive privileges like the ones mentioned above.
  2. Watch out for important Windows service stoppages.

HermeticWiper then changes the CrashDumpEnabled registry key value to 0, under the System\CurrentControlSet\Control\CrashControl registry setting, so that memory dumps are disabled.


Watch out for unauthorized processes making registry changes.

After this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of compressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color. For example:

Qualys Multi-Vector EDR customers are presented with the following details capturing the behavior.

Then, hard drives on a system are enumerated and for each drive, the \\.\EPMNTDRV\ device is called. Then the driver that was extracted is loaded by creating a new service using the CreateServiceW which rewrites the first 512 bytes of the Master Boot Record (MBR).

The code further suggests that HermeticWiper enumerates the following files and folders…

  • AppData
  • Desktop
  • ProgramFiles
  • ProgramFiles(x86)
  • Perflogs
  • C:\Documents and Settings
  • C:\Windows\System32\winevt\logs
  • System Volume Information

…the following Master File Table metafiles…

  • $LogFile: Journal to record metadata transactions.
  • $Bitmap: Records allocation status of each cluster in the file system.
  • $Attribute_List:

…and the following NTFS streams:

  • $DATA – Contains file data.
  • $I30 – NTFS index attribute
  • $INDEX_ALLOCATION: Stream type of a directory.


Watch out for processes enumerating multiple locations and data streams.

Post successful execution, HermeticWiper makes use of the InitiateSystemShutdownEx API to shut down the system. Once rebooted, since the MBR has been rewritten, we see a blank screen with the words “Missing operating system.”

HermeticWiper Detection with Qualys Multi-Vector EDR

Out of the box, Qualys Multi-Vector EDR provides detection and prevention capabilities that can help enterprise security teams to find Indicators of Compromise.

HermeticWiper MITRE ATT&CK TID Map

Privilege EscalationT1134Access Token ManipulationHermeticWiper modifies its security token to grants itself debugging privileges by adding SeDebugPrivilege, creating backups by adding SeBackupPrivilege and load drivers by adding SeLoadDriverPrivilege.
DiscoveryT1082System Information DiscoveryHermeticWiper enumerates the operating system and its bit-size according to which embedded drivers are dropped
Defense EvasionT1112Modify RegistryHermeticWiper modifies multiple keys
ExecutionT1106Native APIHermeticWiper uses the AdjustTokenPrivileges to give itself the following privileges: SeShutdownPrivilege, SeBackupPrivilege and SeLoadDriverPrivilege.
PersistenceT1543.003Create or Modify System Process: Windows ServiceHermeticWiper loads the extracted driver, by creating a new service using the CreateServiceW API.
ImpactT1561.002Disk Wipe: Disk Structure WipeHermeticWiper damages the Master Boot Record (MBR) of the infected computer.
ImpactT1490Inhibit System RecoveryHermeticWiper stops the Volume Shadow Copy service.
ImpactT1489Service StopHermeticWiper stops the Volume Shadow Copy service.
DiscoveryT1083File and Directory DiscoveryHermeticWiper enumerates multiple files and folders such as AppData, Desktop, etc.
ImpactT1529System Shutdown/RebootHermeticWiper initiates a system shutdown via the InitiateSystemShutdownEx API.

HermeticWiper IOCs

Show Comments (3)


Your email address will not be published. Required fields are marked *

  1. This level of double-speak is not helpful in the current situation. Either it is ransomware that encrypts files, or it just wipes files. It’s time to lose the click-bait keyword loading and communicate clearly. Qualys is above this kind of marketing speak, so stick to the technicals, and don’t try to spin us.

    1. Hi Doug, good to read your comment and see that you hold Qualys with a high regard. As mentioned in the third paragraph, HermeticWiper is primarily a wiper that wipes the MBR data. The term “ransomware-like data wiper” is used since it exhibits ransomware-like activity such as programmatically detecting all connected hard drives, traversing through folders and disabling the backup service. There was no intent to make the article click-bait loaded.