Representative offices: 

Request callback

CrowdStrike Falcon protects against new Wiper malware used in cyberattacks against Ukraine


CrowdStrike products is a company that can be proud not only for its high-quality and powerful endpoint protection solutions, but also about its well-developed corporate policy. Since its first day, the company has cooperated only with countries that demonstrate their commitment to European values and non-violent policies. The CrowdStrike team does not divide business and morality. While many IT companies, in light of today's violent events in Ukraine, are only beginning to realize the immorality of the shadow side of the aggressor country, CrowdStrike has never cooperated with such countries as Russia, Iran, China, North Korea, etc. in its existence. We encourage other IT companies to break their partnership with the aggressor country, and we are sincerely glad that more and more of our vendors have already done so.

On February 23, 2022 it was reported about new Wiper malware which attacked Ukrainian systems. After a series of denial-of-service attacks and hacking a number of Ukrainian websites, the new malware breached the master boot record (MBR), as well as all accessible physical disk partitions and the file system on Windows machines.

Intelligence of CrowdStrike products has named this new destructive software — DriveSlayer, and it is the second Wiper-type program to hit Ukraine in terms of recent attacks using the WhisperGate. DriveSlayer is digitally signed using a valid certificate. The software exploits the legitimate EaseUS Partition Master driver to access and control the disk in order to make the system non-functional.

The CrowdStrike Falcon platform can provide reliable and continuous protection against DriveSlayer and wiper-type threats, providing real-time workload monitoring to protect customers.

Test the effectiveness of CrowdStrike products solution in person by sending us a request to test the high-performance platform Falcon.

Technical Analysis

Unlike WhisperGate, which uses higher-level API calls, DriveSlayer uses raw disk access to destroy data.

During initialization, two additional command-line parameters can be used to indicate when the malware is asleep before starting the destruction process and rebooting the system. If they are not specified, the default values are 20 and 35 minutes.

After that, the malware makes sure that it has the appropriate privileges to perform its destructive actions. It uses the API AdjustTokenPrivileges to assign itself the following privileges: SeShutdownPrivilege, SeBackupPrivilege and SeLoadDriverPrivilege.

Privilege Name Description
SeShutdownPrivilege Provides the ability to shut down a local system
SeBackupPrivilege Provides the ability to perform system backup operations
SeLoadDriverPrivilege Provides the ability to load or unload a device driver

A variety of drivers will be loaded depending on the system version. The malware uses IsWow64Process to determine the version of the driver to be loaded. These drivers are located in the resources section of the binary file and are compressed using the Lempel-Ziv algorithm. The driver file is written to system32\drivers with a 4-character, pseudorandomly generated name. This file is then unpacked with LZCopy into a new file with the extension ".sys".

Example File Name Description
C:\Windows\System32\drivers\bpdr Lempel-Ziv compressed driver
C:\Windows\System32\drivers\bpdr.sys Decompressed driver

Before the driver is loaded, the malware disables the emergency dump by setting the following registry key:

Registry Value Description
HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled 0 Disables crash dump

To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key.

After the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a number of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time specified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to InitializeSystemShutdownExW.

Another thread disables features in the UI that could alert the user of suspicious activity occurring on the system before iterating through attached drives.

Registry Value Description
0 Disables colors for compressed and encrypted NTFS files
0 Disables pop-up information about folders and desktop items

Finally, the malware begins its destructive routine by spawning multiple additional threads that overwrite the files on disk and destroy the partition tables. Once the system is rebooted, the user will see a blank screen with the words “Missing operating system.”

The Falcon Platform’s Continuous Monitoring and Visibility Stop Destructive Malware

The Falcon platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques and procedures (TTPs) employed by threats and threat actors, the Falcon platform enables visibility, threat detection and continuous monitoring for any environment, reducing time to detect and mitigate threats including destructive malware.

As shown in Figure 1, the Falcon platform uses cloud-based machine learning to detect DriveSlayer and prevent the malware from performing additional malicious actions, such as loading additional components.

Figure 1. The Falcon platform’s cloud-based machine learning detects DriveSlayer wiper

The Falcon platform’s behavior-based IOAs can detect and prevent suspicious processes from executing or loading additional components, as well as other behaviors that indicate malicious intent. For example, Falcon detects and prevents DriveSlayer behavior such as tampering with specific registry keys. The behavior-based detection is further layered with a traditional indicator of compromise (IOC)-based hash detection (see Figure 2).

Figure 2. CrowdStrike Falcon detects and prevents DriveSlayer destructive behavior

Because DriveSlayer has no built-in propagation methods for spreading across infrastructures, and because reports of it being used to target Ukraine have so far been limited, the risk of organizations encountering this data-wiping threat may be low at present. CrowdStrike will continue to monitor and report on the situation as it unfolds.

Customers of CrowdStrike Falcon can proactively monitor their environments with hunting queries to identify indicators of DriveSlayer presence. Check the CrowdStrike Support Portal for a brief description.

iIT Distribution as the official distributor of CrowdStrike solutions strongly encourages organizations that are facing the risk of cyber incidents to take steps to improve their operational resilience. CrowdStrike security solutions can protect against malware and the threat of data destruction by providing full visibility of the environment and intelligence monitoring of cloud resources to detect and respond to potential threats - including destructive ones - and limit potential damage.


Mobile Marketing