Researchers have uncovered a new strain of damaging wiper malware impacting computers in Ukraine, making it at least the third strain discovered since the Russian invasion began.
CaddyWiper virus was discovered by researchers at Slovakia-based cybersecurity firm ESET, who released data in a Monday tweet thread.
According to the researchers, the malware deletes user data and information about partitions on any drives connected to a compromised machine. The malware, according to sample code released on Twitter, corrupts files on the machine by overwriting them with null byte characters, rendering them unrecoverable.
Thus far, the number of confirmed incidents in the wild appears to be modest, and ESET’s research has identified one organization that has been targeted by CaddyWiper, Boutin added.
Previously, ESET researchers discovered two additional variants of wiper malware targeting PCs in Ukraine. Researchers found the first strain, dubbed HermeticWiper, on February 23rd, only one day before Russia launched its armed invasion of Ukraine. On February 24th, another wiper known as IsaacWiper was deployed in Ukraine.
However, according to an ESET timeline, both IsaacWiper and HermeticWiper were in development for several months prior to their release.
Wiper programs are similar to ransomware in that they can access and edit files on a hacked system, but unlike ransomware, which encrypts data on a drive until an attacker is given a release fee, wipers remove disc data permanently and provide no method to retrieve it. This suggests that the malware’s sole purpose is to cause harm to the target, rather than to extract financial gain for the attacker.
While pro-Russian hackers employed malware to damage data on Ukrainian computer systems, other pro-Ukrainian hackers used the opposite strategy, exposing data from Russian businesses and government institutions as an offensive tactic.
While large-scale cyber warfare has thus far been absent from the Russia-Ukraine conflict, it is plausible that greater strikes are still in the works. In the United States, the Cybersecurity and Infrastructure Agency (CISA) issued advice to businesses warning that they may be affected by the same type of damaging malware used in Ukraine.