Researchers have released detailed analysis, including its similarities with NotPetya group, on the WhisperGate wiper that crippled Ukrainian organizations. The WhisperGate attacks started on January 13 and the motive was financial gain and disruption of the target's operations.

A deeper look into WhisperGate

Describing the malware, Microsoft said it was designed to look like a ransomware but intended to do inoperable damages. Further, Cisco Talos researchers claimed that stolen credentials provided initial access for the deployment of the wiper.
  • Just like the NotPetya wiper, which once masqueraded as a ransomware in its earlier campaigns, WhisperGate also presented itself as a ransomware. It fully overwrites the MBR with a ransom note.
  • In addition, this malware further attempts to destroy the C:\ partition, overwriting it with some garbage data. This additional action of wiping disk partitions is usually not seen in wiper malware like NotPetya.
  • Moreover, as many of the latest systems are now adopting the new GUID Partition Tables (GPTs), this executable may not be successful. Therefore, this malware uses additional steps and payloads for further destruction.

What happens in the additional stages?

In the second stage, a downloader obtains the required code for the third step. A PowerShell command is executed twice, resulting in the endpoint entering sleep mode for 20 seconds.
  • A Discord server URL, hardcoded into the downloader, is then pinged to grab a ‘.DLL’ file obfuscated with the Eazfuscator. This deploys and runs the main wiper payload via VBScript.
  • Additionally, Windows Defender settings are modified to avoid the targeted drive from scans. 
  • In case the first-stage wiper fails to avoid the endpoint, the attackers had prepared a fourth-stage wiper payload as a backup plan. In the fourth stage, the wiper looks for fixed and remote logical drives to target.

Additional attack characteristics

Researchers revealed several additional characteristics of this malware.
  • The wiper overwrites each file with 1MB worth of 0xCC bytes and renames it with a random four-byte extension.
  • Files with certain extensions out of 192 extensions, such as .KEY, .PPT, .RAR, and .HTML are destroyed. 
  • After the wiping process, it uses Ping to perform delayed command execution for deleting InstallerUtil[.]exe.
  • At last, the wiper tries to flush all file buffers to disk and terminate all running processes, as well as itself, by calling ExitWindowsEx Windows API with the EWX_SHUTDOWN flag.


The recent analysis of the WhisperGate wiper will help organizations better understand the threat. To stay protected, CISA recommends organizations implement multi-factor authentication for remote systems, implement strong security controls for cloud services, and disable non-critical ports and access points.

Cyware Publisher