Source: https://cobaltstrike.net/2022/02/25/530329-php/
New malware for erasing data deployed in Ukrainian networks during destructive attacks, in some cases was accompanied by a bait in the form of a ransomware program in the GoLang programming language.
“In several attacks investigated by Symantec, ransomware programs were also deployed against affected organizations at the same time as Viper. As in the case of Viper, scheduled tasks were used to deploy ransomware,” Symantec experts said.
According to experts, the ransomware program was used as a bait or distraction from Viper attacks. The situation has some similarities with the earlier attacks of the WhisperGate viper on Ukraine.
The extortionist also left a ransom note on compromised systems with a political message that said: “The only thing that we learned from new elections is we learned nothing from the old!” (“The only thing we learn from new elections is that we learned nothing from the old!”). The ransom note asks victims to contact two email addresses in order to return their files.
The viper, dubbed HermeticWiper, was used during recent attacks on Ukrainian organizations, and also got into systems outside Ukraine. Financial and government contractors from Ukraine, Latvia and Lithuania also suffered from the actions of the pest.
Malware uses EaseUS Partition Manager drivers to damage files of compromised devices before restarting the computer. The malware also destroys the device’s master boot record, making all infected devices non-bootable.