Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

New CaddyWiper Data Wiping Malware Hits Ukrainian Networks (bleepingcomputer.com) 13

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. BleepingComputer reports: "This new malware erases user data and partition information from attached drives," ESET Research Labs explained. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." While designed to wipe data across Windows domains it's deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled. "CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed," ESET added. "Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target's network beforehand."

This discussion has been archived. No new comments can be posted.

New CaddyWiper Data Wiping Malware Hits Ukrainian Networks

Comments Filter:
  • IF MS had bothered to design in Immutable settings, this would be very hard to happen. Maybe the disk quota system rings alarm bells when a pre-defined number of consecutive operations trigger flags. Maybe if no backup flag has been set (checked by a digital signature) such operations stopped. There are products that deep freeze I/O's to a bitmap ready for instant restore, or confirmed real write. Move to OpenBSD. All eggs in one basket is crazy.
    • Are you volunteering to go over and help them migrate all their data and applications to equivalent applications that will run under OpenBSD? It might be easier if you just teach them overnight how to do a proper 3-2-1 backup of their data.

      I would call ahead before you plan to go over to help them do things the right way. I hear they're a little busy right now. /s

      • by bjwest ( 14070 )
        He seems to be offering a solution, maybe not to this particular instance of the vulnerability in Ukraine right now, but perhaps for consideration in the future. Instead of attacking him, how about offering your own solution or criticize his in a constructive way, or just be gone with your toxic comment that adds absolutely nothing to the conversation?
        • It was a sarcastic comment about the timing of suggesting that the solution to Ukraine's ransomeware/datawipe problem was changing to OpenBSD.

          If his comment was meant as a philosophical discussion about the relative merits of the Windows NFTS file system vs the many others that are out there then perhaps you view my reply as "toxic" but I was struck by how little his suggestion would help the current problem. It is akin to suggesting "they should beef up their IT security so it doesn't happen." A great su

    • by gweihir ( 88907 )

      If MS cared about security, their stuff would not be such an incredibly insecure mess today. They do not. They do the minimum they think they can get away with. Since too many customers have painted themselves into a corner by doing an abysmally stupid "MS strategy", that minimum is not very good and still allows easy attacking of MS-based computing. Monopolies are bad for everyone except the monopolist.

  • Comment removed based on user account deletion
  • some data foreign organizations just need to get rid of.

  • (which with the current genocide by Russia of Ukrainian population might even be plausible)

    Conspiracy Theory: "Because the International Court is requesting recordings of Russia violations of Human Rights, War Crimes, etc., they have released a wiping virus..."

    I've just thought of it (not that I believe every though I think, you know XD )

  • Glad I no longer use any Microsoft products. If you don't want to get hit by the Microsoft Fail Train don't walk on the tracks.

Any programming language is at its best before it is implemented and used.

Working...