ESET Researchers Discover New 'CaddyWiper' Malware Attacking Ukraine Orgs

ESET researchers have uncovered yet another destructive data wiper that was used in attacks against organizations in Ukraine. Dubbed CaddyWiper by ESET analysts, the malware was first detected this week.

The wiper, which destroys user data and partition information from attached drives, was spotted on several dozen systems in a limited number of organizations. It is detected by ESET products as Win32/KillDisk.NCX.

CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers that have struck organizations in Ukraine since February 23rd.

Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper.


Experts with Dispersive Holdings and Shared Assessments shared their thoughts on this latest malware discovery tied to the Russia-Ukraine conflict.

Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“A key vector of attack for malware incursions is exploring network vulnerabilities. Typical private as well as public cloud infrastructures make it reasonably easy for sophisticated threat actors to identify resources and data flows of interest which makes it possible to intercept them via a Man In The Middle (MITM) attack as well as conduct various operations including capturing the shared secret exchange. Enterprises and Governments should look at a managed attribution model which obfuscates high value data flows in transit as well as endpoints from underlying (and potentially unfriendly) network resources making it virtually impossible to detect let alone intercept sensitive data.”

Nasser Fattah, North America Steering Committee Chair, Shared Assessments:

“As expected, destructive malware will be the de facto type of malware during the eastern European conflict because it is designed to not only make targeted technologies inoperable but also unrecoverable. The goal is to destroy the underlying technology that supports critical business functions. Here the destructive malware is politically driven where complete system disruption can cause great financial harm, as well as significant human casualties (think water purification systems ceasing to work or hospitals not having electricity).”


###