Nikowiper

Malware updated 6 months ago (2024-05-04T20:08:18.092Z)
Download STIX
Preview STIX
NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on the Ukrainian energy sector company in October 2022. Based on the SDelete Microsoft command line utility for securely deleting files, NikoWiper infiltrates systems often without user knowledge, potentially stealing personal information, disrupting operations, or holding data hostage. In April, the same group was suspected of trying to disrupt the Ukrainian power grid using another malware program called Industroyer2. By October, ESET had discovered new variants of both CaddyWiper and HermeticWiper, along with NikoWiper. The prime targets of these Russia-aligned groups remained Ukraine, where new versions of the known wipers RoarBat and NikoWiper were found, along with a newly identified wiper named SharpNikoWiper. Attributing these cyberattacks to Russian cyberoffensive groups may seem obvious due to the pattern of attacks and the victims involved, however, evidence-based attribution remains complex. While the presence of malwares like CaddyWiper, NikoWiper, RansomBoggs, or Prestige ransomware point towards a certain direction, definitive attribution requires rigorous investigation and concrete proof. Therefore, while there are strong suspicions, it is important to approach such attributions with caution.
Description last updated: 2024-05-04T16:48:33.659Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CaddyWiper is a possible alias for Nikowiper. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Wiper
Ransomware
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Prestige Ransomware Malware is associated with Nikowiper. In October 2022, a new strain of ransomware known as Prestige was reported by Microsoft. This malware had not been observed by Microsoft prior to its deployment and was found targeting transportation and logistics organizations in Ukraine and Poland. Prestige ransomware infects systems through suspiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Nikowiper. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
3
Source Document References
Information about the Nikowiper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more