CaddyWiper ! Third Wiper Seen Attacking Ukraine

A new type of destructive wiper malware affecting computers in Ukraine, discovered by ESET researchers dubbed CaddyWiper

CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers that have struck organizations in Ukraine since February 23rd.

Much like with HermeticWiper, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper.

The malware erases user data and partition information from any drives attached to a compromised machine. The malware corrupts files on the machine by overwriting them with null byte characters, making them unrecoverable.

The number of cases in the wild appears to be small, and ESET’s research had observed one organization being targeted with CaddyWiper, the overall attack impact is yet to be known.

ESET research has previously uncovered two other strains of wiper malware targeting computers in Ukraine. The first strain, labeled HermeticWiper by researchers, was discovered on February 23rd, one day before Russia began the military invasion of Ukraine. Another wiper known as IsaacWiper was deployed in Ukraine on February 24th.

Wiper programs share some similarities with ransomware in terms of their ability to access and modify files on a compromised system, but unlike ransomware which encrypts data on a disk until a release fee is paid to attackers wipers permanently delete disk data and give no way to recover it. This means the objective of the malware is purely to cause damage to the target rather than extract any financial reward for the attacker.

While pro-Russia hackers have used malware to destroy the data on Ukrainian computer systems, some hackers who support Ukraine have taken the opposite approach, leaking data from Russian businesses and government agencies as an offensive tactic.