SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermeticwiper (Back to overview)

HermeticWiper

aka: DriveSlayer, FoxBlade, KillDisk.NCV, NEARMISS
VTCollection    

According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called "empntdrv.sys" which is associated with the legitimate Software "EaseUS Partition Master Software" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless.
This malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.

References
2024-04-16MandiantAlden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-24Twitter (@Sebdraven)Sébastien Larinier
Tweet on IOCTL manipulation in TDL4 and HermeticWiper
Alureon HermeticWiper
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-12-03MicrosoftCliff Watts
Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-06-06TrellixTrelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65
2022-06-02EclypsiumEclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-19MandiantAlden Wahlstrom, Alice Revelli, David Mainor, Ryan Serabian, Sam Riddell
The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine
HermeticWiper PartyTicket
2022-05-02AT&TFernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-21eSentireeSentire
eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket
HermeticWiper PartyTicket
2022-03-17BlackberryBlackBerry Research & Intelligence Team
Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine
HermeticWiper
2022-03-14KasperskyGReAT
Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-11BitdefenderRadu Crahmaliuc
Five Things You Need to Know About the Cyberwar in Ukraine
HermeticWiper WhisperGate
2022-03-11Security BoulevardTeri Robinson
IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs
HermeticWiper IsaacWiper
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt Baumgartner, Marco Preuss
BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-10splunkSplunk Threat Research Team
Detecting HermeticWiper
HermeticWiper PartyTicket
2022-03-10BrandefenseBrandefense
HermeticWiper - Technical Analysis Report
HermeticWiper
2022-03-04Github (eln0ty)Abdallah Elnoty
HermeticWiper/FoxBlade Analysis (in-depth)
HermeticWiper
2022-03-04MalwarebytesMalwarebytes Threat Intelligence
HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
HermeticWiper
2022-03-04vmwareGiovanni Vigna, Oleg Boyarchuk, Stefano Ortolani, Threat Analysis Unit
Hermetic Malware: Multi-component Threat Targeting Ukraine Organizations
HermeticWiper
2022-03-04MandiantJames Sadowski, Ryan Hall
Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03LIFARSLIFARS
A Closer Look at the Russian Actors Targeting Organizations in Ukraine
HermeticWiper IsaacWiper Saint Bot WhisperGate
2022-03-03CloudsekAnandeshwar Unnikrishnan, Deepanjli Paulraj
Technical Analysis of The Hermetic Wiper Malware Used to Target Ukraine
HermeticWiper
2022-03-03YouTube (MBSD)MBSD
Infection and explanation of "Hermetic Wiper", a destructive malware targeting Ukraine
HermeticWiper
2022-03-02Recorded FutureInsikt Group
HermeticWiper and PartyTicket Targeting Computers in Ukraine
HermeticWiper PartyTicket
2022-03-02TrellixMax Kersten
Digging into HermeticWiper
HermeticWiper
2022-03-01Kaspersky LabsKaspersky
Ransomware as a distraction
HermeticWiper PartyTicket
2022-03-01ElasticAndrew Pease, Cyril François, Daniel Stepanic, Github (@1337-42), Github (@ayfaouzi), Github (@jtnk), Mark Mager, Samir Bousseaden
Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER
HermeticWiper
2022-03-01Threat PostLisa Vaas
Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
HermeticWiper
2022-03-01DeepInstinctIdo Kringel
What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War
HermeticWiper
2022-03-01ESET ResearchESET Research
IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
HermeticWiper IsaacWiper PartyTicket
2022-03-01QualysMayuresh Dani
Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware
HermeticWiper
2022-03-01Marco Ramilli's BlogMarco Ramilli
DiskKill/HermeticWiper and NotPetya (Dis)similarities
EternalPetya HermeticWiper
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2022-02-28TrellixTaylor Mullins
Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections
HermeticWiper
2022-02-28ZDNetJonathan Greig
Microsoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store
HermeticWiper
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
HermeticWiper IsaacWiper PartyTicket WhisperGate
2022-02-28Microsoft Sentinel 101mzorich
Detecting malware kill chains with Defender and Microsoft Sentinel
HermeticWiper
2022-02-26YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures
HermeticWiper
2022-02-26CISA
Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-26CISACISA, FBI
Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-25The Hacker NewsRavie Lakshmanan
Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks
HermeticWiper WhisperGate
2022-02-25Twitter (@fr0gger)Thomas Roccia
Tweets with an overview of HermeticWiper
HermeticWiper
2022-02-25SOCRadarSOCRadar
What You Need to Know About Russian Cyber Escalation in Ukraine
Mirai HermeticWiper
2022-02-25CyberPeace Institute
UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-25SecureworksCounter Threat Unit ResearchTeam
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
HermeticWiper
2022-02-25Deutsche Gesellschaft für CybersicherheitDeutsche Gesellschaft für Cybersicherheit (DGC)
Breaking news! Warning about “HermeticWiper Malware” by Russian APT Groups
HermeticWiper
2022-02-25EnglertOneThomas Englert
Reverse Engineering | Hermetic Wiper
HermeticWiper
2022-02-25CrowdStrikeAdrian Liviu Arsene, Farid Hendi, william thomas
CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks
HermeticWiper
2022-02-24RiskIQRiskIQ
RiskIQ: HermeticWiper Compromised Server Used in Attack Chain
HermeticWiper
2022-02-24IBMAnne Jobmann, Christopher Del Fierro, Claire Zaboeva, John Dwyer, Richard Emerson
IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine
HermeticWiper
2022-02-24ZscalerDeepen Desai
HermeticWiper & resurgence of targeted attacks on Ukraine
HermeticWiper
2022-02-24ESET Researchwelivesecurity
HermeticWiper: New data‑wiping malware hits Ukraine
HermeticWiper
2022-02-24t3nElisabeth Urban
Cyber-Attacken auf die Ukraine: Wiper-Malware befällt „Hunderte Computer“
HermeticWiper
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-24Cluster25
Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)
HermeticWiper
2022-02-24nvisoMichel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24SymantecSymantec Threat Hunter Team
Ukraine: Disk-wiping Attacks Precede Russian Invasion
HermeticWiper
2022-02-23Sentinel LABSJuan Andrés Guerrero-Saade
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
HermeticWiper
2022-02-23The Hacker NewsRavie Lakshmanan
New Wiper Malware Targeting Ukraine Amid Russia's Military Operation
HermeticWiper
2022-02-23Twitter (@threatintel)Symantec Threat Intelligence
Tweet on new wiper malware being used in attacks on Ukraine
HermeticWiper
2022-02-23The RecordCatalin Cimpanu
Second data wiper attack hits Ukraine computer networks
HermeticWiper WhisperGate
2022-02-22Palo Alto Networks Unit 42Unit 42
Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
HermeticWiper
Yara Rules
[TLP:WHITE] win_hermeticwiper_auto (20251219 | Detects win.hermeticwiper.)
rule win_hermeticwiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.hermeticwiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83d1ff 894dbc 03ff 83cf01 ebe7 8b75d4 }
            // n = 6, score = 200
            //   83d1ff               | adc                 ecx, -1
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   03ff                 | add                 edi, edi
            //   83cf01               | or                  edi, 1
            //   ebe7                 | jmp                 0xffffffe9
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_1 = { 68???????? eb2f ff15???????? 3d7e040000 0f8522040000 837df800 }
            // n = 6, score = 200
            //   68????????           |                     
            //   eb2f                 | jmp                 0x31
            //   ff15????????         |                     
            //   3d7e040000           | cmp                 eax, 0x47e
            //   0f8522040000         | jne                 0x428
            //   837df800             | cmp                 dword ptr [ebp - 8], 0

        $sequence_2 = { 0f86fe000000 8b55d0 8d4630 8945f8 6690 8b00 85c0 }
            // n = 7, score = 200
            //   0f86fe000000         | jbe                 0x104
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8d4630               | lea                 eax, [esi + 0x30]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   6690                 | nop                 
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax

        $sequence_3 = { 53 51 51 52 b980000000 e8???????? 8b4c2428 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   52                   | push                edx
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]

        $sequence_4 = { 8845fb 84e4 0f856dfeffff 5f 5e 5b 8be5 }
            // n = 7, score = 200
            //   8845fb               | mov                 byte ptr [ebp - 5], al
            //   84e4                 | test                ah, ah
            //   0f856dfeffff         | jne                 0xfffffe73
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_5 = { 8b4e10 8b7e08 03cf 8b560c 8b4614 13c2 89542418 }
            // n = 7, score = 200
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   8b7e08               | mov                 edi, dword ptr [esi + 8]
            //   03cf                 | add                 ecx, edi
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   13c2                 | adc                 eax, edx
            //   89542418             | mov                 dword ptr [esp + 0x18], edx

        $sequence_6 = { 83ee02 eb02 8bf3 397df0 7531 6a5c 6a00 }
            // n = 7, score = 200
            //   83ee02               | sub                 esi, 2
            //   eb02                 | jmp                 4
            //   8bf3                 | mov                 esi, ebx
            //   397df0               | cmp                 dword ptr [ebp - 0x10], edi
            //   7531                 | jne                 0x33
            //   6a5c                 | push                0x5c
            //   6a00                 | push                0

        $sequence_7 = { 8b401c 83c118 03c1 8b4c2414 89442424 3bf0 736e }
            // n = 7, score = 200
            //   8b401c               | mov                 eax, dword ptr [eax + 0x1c]
            //   83c118               | add                 ecx, 0x18
            //   03c1                 | add                 eax, ecx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   3bf0                 | cmp                 esi, eax
            //   736e                 | jae                 0x70

        $sequence_8 = { 57 56 ff15???????? 85c0 752a ff15???????? 33ff }
            // n = 7, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   752a                 | jne                 0x2c
            //   ff15????????         |                     
            //   33ff                 | xor                 edi, edi

        $sequence_9 = { 5e b801000000 5b 8be5 5d c20c00 8b7510 }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

    condition:
        7 of them and filesize < 247808
}
Download all Yara Rules