CaddyWiper Malware Unleashed against Ukrainian Networks
Russian cybercriminals continue to unleash new malware against Ukrainian systems and networks. Due to the nature of the current conflict, they are not focused on spying on their victims or stealing information. Instead, they are using destructive threats, such as the CaddyWiper Malware. While it is identical in functionality compared to HermeticWiper and IsaacWiper, it does not appear to be a spin-off of one of those two. Instead, it is a unique implant, which carries out a destructive attack meant to break systems down completely.
It's important to add that neither the networks, which were attacked by the CaddyWiper Malware have probably been compromised for a long time. The situation was the same with the other two wipers mentioned above. It is likely that the cybercriminals have had access to the system for a long time, and they were waiting for the right time to deploy the malicious software.
The CaddyWiper Malware aims to delete files from various folders, but it does not wipe out the MBR like the other two threats we mentioned. An interesting quirk of CaddyWiper Malware is the fact that it skips encrypting data related to domain controllers. The goal of this action is to ensure that the criminals will still have access to other systems across the network – if the domain controller data was deleted, this would be impossible.
The Russian cyberattacks against Ukrainians are certainly far from over. The fact that the hackers responsible for them have had access to the compromised systems long before deploying the malware is likely to mean that they have carried out other, under the radar attacks in the past