Blog Category
All Blogs
Exploratory Data Analysis
Big Data
Company & Product
How To
Customer Stories
How To
Feb 25, 2022

5 Simple Steps To Detect Russian HermeticWiper Malware Targeting Ukraine

written by

Steve Schohn

The good people at SentinelOne wrote a great post on HermeticWiper, the destructive piece of  malware being used in cyber attacks on Ukraine. We're using the indicators of compromise (IOCs) in that post to bring you this very simple explainer on how to use Gigasheet to detect if any system in your deployment contains the IOCs associated with HermeticWiper. Thank you to SentinelOne, Symantec and ESET as well as everyone else in the community who's pitching in to help fend off Russian attacks.

The entire process explained here requires only free tools, 5 simple steps, and should not require special training or skillsets. If you can use a spreadsheet, you can do this.

1) Sign up for a free Gigasheet account at https://app.gigasheet.com/signup?referrerId=https://www.gigasheet.com/post/detect-hermeticwiper-with-gigasheet

2) Get the IOCs files The HermeticWipers IOCs are contained in this file. Click the View Only button and save a copy of it into your account.

3) In Your Files, Upload a list of the SHA1 hashes from the files on as many different devices you are monitoring. You can often get this from endpoint security or antivirus products. Here's an example of what that looks like, using 20 different devices totaling 19 million files, with anonymized file names:

Gigasheet UI

Gigasheet can handle files with up to a billion rows.

4) Press Function (Fx) button above your sheet:

Gigasheet UI

and choose Cross File Lookup to compare the IOCs in the HermeticWiper Gigasheet dataset to the hashes in your file

Gigasheet UI

Select the columns to match:

Gigasheet UI

5) A new column will appear, called "Cross Lookup Result".

Gigasheet UI

Filter for matches:

Gigasheet UI
Gigasheet UI

In this dataset, we immediately see which two files (of the 19.4 million we are monitoring)  match HermeticWiper IOCs, and now we can move to isolate and patch device_19 and device_22.

How to Remove Hermetic Wiper Malware

We’ve found manual removal instructions on these two sources. Note: we have not yet validated these steps or sources:

https://www.pcrisk.com/removal-guides/23150-hermeticwiper-malware#a2

https://malwarefixed.com/blog/how-to-remove-hermeticwiper-virus#Manual_steps_for_HermeticWiper_virus_removal

We hope this can be of use for less technical sysadmins or those with limited tools and or budgets. If you need help, please chat with us in product or through our support site at http://support.gigashee.com

The ease of a spreadsheet with the power of a database, at cloud scale.

No Code
No Database
No Training
Sign Up, Free

Similar posts

How To

Email Validation: How to Validate Emails in Bulk Using Gigasheet and LeadMagic

Apr 5, 2024
4 min read
How To

Company Data Enrichment with Gigasheet and RevenueBase

Mar 26, 2024
3 min read
How To

How to Connect a Database to Google Sheets

Mar 21, 2024
5 minutes
G2 Star rating logoCapterra 5 Star rating badgeSource Forge Logo - Light VersionSOC 2 Type 2 logo
© 2023 Gigasheet, INC. PATENTED

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

I understand