Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
Nov 18, 2024THE THREAT On November 18th, 2024, Palo Alto disclosed a critical actively exploited authentication bypass zero-day vulnerability impacting Palo Alto Networks PAN-OS. The…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Recently, there have been multiple reports of new wiper malware observed targeting Ukrainian organizations as part of cyber warfare stemming from the ongoing Russia-Ukraine conflict. This new wiper malware, also known as HermeticWiper, was first detected in February 2022, and was deployed after a wave of multiple Distributed Denial of Service (DDoS) attacks launched by Russian threat actors against Ukrainian law enforcement and government agencies.
eSentire’s Threat Intelligence team has performed a technical malware analysis on HermeticWiper and PartyTicket. This technical analysis provides a detailed breakdown of how HermeticWiper fulfills its objective of accessing the Physical Drives and encrypting the targeted filetypes in the host device and network.
With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware in the ongoing hybrid war and improve their malware development capabilities to evade detections.
The destructive malware dubbed as ‘HermeticWiper’ by SentinelLabs was first detected by researchers at ESET on February 23rd, 2022, at 10am EST. Five hours later, the Cyber Police of Ukraine reported DDoS attacks on several Ukrainian government agencies, including Cabinet of Ministers of Ukraine, Verkhovna Rada (unicameral parliament of Ukraine), Security Service of Ukraine, Ministry of Foreign Affairs, and other Ukrainian government organizations.
The reports stated that the DDoS attacks had been ongoing since February 15th and linked the attacks, including numerous phishing attempts, to Russian threat actors. As part of these attacks, HermeticWiper was installed on hundreds of machines in Ukraine, but evidence of HermeticWiper was also found in Lithuania and Latvia.
On February 27th Ukrainian border control was reported to be infected with HermeticWiper, which prevented refugees from being able to cross into Romania. Symantec also reported that the ransomware named PartyTicket was dropped on the compromised machines.
On February 24-25th researchers at Symantec reported three potential initial vectors of compromise:
SHA-256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
HermeticWiper is a 32-bit executable written in C++ and at 114 KB, it’s over four times bigger than its predecessor, WhisperGate (27 KB). WhisperGate was also used as a decoy ransomware and destructive malware in January 2022 to target Ukrainian organizations. The compiler timestamp dates to December 28, 2021. However, it should be noted that the timestamp can be easily modified by the threat actors. The malware sample was signed by Hermetica Digital Ltd, a Cyprus-based company, and is valid from April 12, 2021 until April 14, 2022 (Exhibit 1). Based on this discovery, eSentire’s Threat Intelligence team has determined it’s probable that the malware was developed in April 2021.
The RCDATA resource (the raw data resource of an application) contains 4 drivers: DRV_X64, DRV_X86, DRV_XP_X64, DRV_XP_X86. The drivers are compressed with SZDD (Haruhiko Okumura's LZSS), a compression algorithm known to be used by Microsoft installation programs (Exhibit 2).
The decompressed drivers are signed by Chengdu YIWO Tech Development Co Ltd, the developer of EaseUS (Exhibit 3).
The implementation of EaseUS partition management driver in the wiper to access the file systems shows an improvement compared to WhisperGate. The drivers contain the program database (PDB) path, which contains debugging information, to: d:\epm\_epm_main\mod.windiskaccessdriver\windiskaccessdriver\objfre_wlh_x86\i386\epmntdrv.pdb
This indicates that the attackers abused the legitimate driver epmntdrv.sys developed by EaseUS to facilitate access to the physical drives of the victim’s machine.
The wiper will choose which driver to plant on the victim’s machine based on the Windows version, which uses major and minor conventions for its Operating Systems (OS). If the major and minor versions of the OS is greater or equal to 6 and 0 respectively, it will assign the DRV_X64, DRV_X86 drivers to it. Otherwise, it will assign DRV_XP_X64, DRV_XP_X86 drivers (Exhibit 4).
Please refer to the chart compiled by Microsoft that contains operating system version information for more information.
The wiper then assigns itself the following privileges:
A service named after the dropped system driver will be created by the wiper via the CreateServiceW API, which will point to C:\Windows\System32\drivers\rhdr.sys (Note that the driver’s name will be randomly created with 4 characters). After the service has successfully started, it will sleep for 1000 milliseconds (about 1 second) and then be marked for deletion, at which point the user cannot manually delete or stop it.
EPMNTDRV will be pointed to the path of the dropped system driver (Exhibit 5), and will also be used to retrieve the Physical Drive number via DeviceIoControl API (used to get information about the drive).
HermeticWiper initiates a loop that enumerates the Physical Drives to 100, in contrast to WhisperGate’s loop which is repeated up to 199 times (Exhibit 6). For every enumerated Physical Drive, the wiper will overwrite the first section of the master boot record (MBR) with 512 bytes, making the machine unbootable upon manual restart.
In addition to the drive enumeration, the wiper also looks for the following folders:
Boot and System Volume Information are two important folders that are responsible for Windows operability. Boot folder stores the Boot Configuration Data (BCD) which contains information about the OS and boot parameters. Without the BCD file, Windows will not be able to boot. The System Volume Information folder is utilized by the System Restore tool to store the restore points.
The purpose of enumerating the above folders is unclear. It is notable that the threat actors crafted the malware to make sure all the folders and logs are wiped, and that the victim’s machine remains inoperable if the MBR wiping goes wrong. We believe it’s probable that this was done to clear logs to avoid detection and attribution.
Next, the crash dump logging is disabled by setting the registry value CrashDumpEnabled to 0 (Exhibit 7).
The Volume Shadow Copy Service (VSS) is also disabled via ChangeServiceConfigW API (the API allows to change the service configurations) through the SERVICE_DISABLED parameter (Exhibit 8).
The sample also queries for NTFS attribute types and metadata:
Other attributes such as $REPARSE_POINT and $LOGGED_UTILITY_STREAM were also found in the .rdata section but were never referenced by anything. The partition corruption is dependent on whether the system has NTFS or FAT partitions (Exhibit 9).
SHA-256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
The ransomware sample is a 64-bit binary written in Golang with a size of 3.14 MB and an empty compilation timestamp. The following sections in the sample are responsible for determining the filetypes to encrypt, which directories to skip, drive letters to enumerate (Exhibit 10).
As mentioned previously, the function at _C__projects_403forBiden_wHiteHousE_baggageGatherings is enumerating through the drive letters from A to Z (Exhibit 11).
The function at __C__projects_403forBiden_wHiteHousE_init checks if the OS supports AVX (Advanced Vector Extensions that are supposed by Windows 7 SP1 and later) and is also responsible for folder and file manipulations as well as getting the time zone data.
The function at _C__projects_403forBiden_wHiteHousE_FileName gets up 55 file extensions and converts them to lower strings (Exhibit 12).
Approximately 54 file extensions get retrieved from memory for further encryption, not including the encrypted file extension, “.Encryptedjb” (Exhibit 13).
.docx | .doc | .odt | .xls | .xlsx | .rtf | |
.ppt | .pptx | .one | .xps | .pub | .vsd | .txt |
.jpg | .jpeg | .bmp | .ico | .png | .gif | .sql |
.xml | .pgsql | .zip | .rar | .exe | .msi | .vdif |
.ova | .avi | .dip | .epub | .iso | .sfx | .inc |
.contact | .url | .mp3 | .wmv | .wma | .wtv | .avi |
.acl | .cfg | .chm | .crt | .css | .dat | .dll |
.cab | .htm | .html |
During the encryption process, the sample writes a ransomware note called “read_me.html” to the victim’s Desktop containing the contact information (Exhibit 14-15).
The ransomware implements AES-GCM encryption for the files (Exhibit 16). An RSA public key is also used to encrypt the AES key, which is base64-encoded and embedded in the encrypted file. Here is the decoded RSA-OAEP public key with exponent 65537:
{“N”:25717750538564445875883770450315010157700597087507334907403500443913073702720939931824608270980020206566017538751505629421265104974103147570147793053042036863191254946923781676642090335412731279862111354061120228616841376992917732378943779121050854967382946609942428983247336676216790986210080736803862945150526472173167906828929762505592535870383583936487111702345068645085659309737832227242430435624646519262394891097897303125875418724226485960819950080048563760122492117729591949924833142856225432439701811178348276860736565390543324668247780303411465497265471890279550350192239339342142099892835177175612362030619,"E":65537}
The AES key is created with math/rand, which produces a pseudorandom (inevitably, deterministic) sequence of values. That means that the key can be easily obtained to decrypt the files. During the analysis, we observed the same AES 16-bit key being used to encrypt the file, “6FBBD7P95OE8UT5QRTTEBIWAR88S74DO”, because the same seed value is being used in the code (Exhibit 17).
All encrypted file names will have the following extension: “.[[email protected]].encryptedJB” and each encrypted file will contain the marker “ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A” at the end.
During the encryption process, the main executable creates duplicates of itself in the working directory. Each duplicate is named with a GUID in the format “xxxxxxxx-11ec-xxx-000c29xxxxxx.exe” (Exhibit 18) and will copy itself using the same pattern with a command “cmd /c copy C:\workdir\xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe (Exhibit 19).
The duplicated binaries are responsible for encrypting each file on the system, which significantly slows down the infected system. After the encryption, the binaries are removed from the directory, leaving only 200-300 copies. The encryption process can be easily stopped by terminating the process tree.
From the technical analysis, we have derived that HermeticWiper is more sophisticated than WhisperGate in terms of implementing third-party drivers to facilitate access to the Physical Drives and modify its access token to enable interaction with the kernel. Moreover, the threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting shadow copies. Although the purpose of enumerating the critical parts of the OS is still not clear, we believe it’s probable that this was done to clear logs to avoid detection and attribution.
As mentioned previously, PartyTicket has been observed on machines infected with HermeticWiper. The technical analysis of PartyTicket indicates that the threat actor(s) implemented AES-GCM encryption along with RSA public key for the targeted file extensions, making the attack look almost like an actual ransomware attempt, whereas WhisperGate decoy ransomware only overwrote the targeted files with 0xCC bytes and corrupted MBR by overwriting it with a fake ransom note.
PartyTicket, the decoy ransomware, contains political messages based on the strings found mentioning “Biden” and a ransom note saying, “The only thing that we learned from new elections is we learned nothing from the old!”
HermeticWiper samples have different hashes but the same functionality. WhisperGate has only one known reported hash for the wiper sample, which likely means that HermeticWiper was able to spread across more machines than WhisperGate.
With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware and that threat actors will likely improve their malware development capabilities to evade detection.
Our Threat Response Unit (TRU) combines intelligence gleaned from research, security incidents, and the external threat landscape to create actionable outcomes for our customers. We are taking a holistic response approach to combat modern ransomware by deploying countermeasures, such as:
Our detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempt tied to known ransomware tactics, techniques, and procedures. In addition, our Threat Response Unit closely monitors the ransomware threat landscape and addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against the HermeticWiper, and PartyTicket malware:
While the Tactics, Techniques, and Procedures (TTPs) used by adversaries grow in sophistication, they lead to a limited set of choke points at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you’re not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | File Hash (SHA-256) |
HermeticWiper | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da |
HermeticWiper | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 |
HermeticWiper | 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 |
HermeticWiper | 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 |
HermeticWiper | 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf |
PartyTicket | 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 |
RCDATA_DRV_X64 | e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 |
RCDATA_DRV_X86 | b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 |
RCDATA_DRV_XP_X64 | b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd |
RCDATA_DRV_XP_X86 | fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d |
rule HermeticWiper { meta: author = "eSentire TI" filetype = "Win32 EXE" date = "03/02/2022" version = "1.0" hash = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da" strings: $drv1 = "\\\\.\\PhysicalDrive%u" wide fullword $drv2 = "\\\\.\\EPMNTDRV\\%u" wide fullword $NTFS1 = "$Bitmap" wide fullword nocase $NTFS2 = "$Logfile" wide fullword nocase $NTFS3 = "$I30" wide fullword nocase $rcdata1 = "DRV_X64" wide fullword nocase $rcdata2 = "DRV_X86" wide fullword nocase $rcdata3 = "DRV_XP_X86" wide fullword nocase $rcdata4 = "DRV_XP_X64" wide fullword nocase $storage1 = "GetLogicalDriveStrings" ascii nocase $storage2 = "GetDiskFreeSpace" ascii nocase condition: (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and filesize > 113KB and (2 of ($drv*) and 3 of ($NTFS*) and 2 of ($rcdata*) and 2 of ($storage*)) } rule PartyTicket { meta: author = "eSentire TI" filetype = "Win64 EXE" date = "03/02/2022" version = "1.0" hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382" strings: $project = "C:/projects/403forBiden/wHiteHousE/wHiteHousE.go" ascii nocase $string1 = "vote_result.cap" ascii nocase $string2 = "main.subscribeNewPartyMember" ascii nocase $string3 = "main.voteFor403" ascii nocase $string4 = "main.highWay60" ascii nocase $string5 = "main.BulletinNumber" ascii nocase condition: (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and filesize > 3100KB and $project and 3 of ($string*) }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.