CaddyWiper Data Wiper Attacks Ukraine

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware, named CaddyWiper, is attacking Ukrainian organizations. As shared from ESET's Twitter, "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." Interestingly the malware conducts a check on the host to validate if it's a domain controller and if so, the data on the domain controller will not be affected, ESET hypothesizes this exclusion is to ensure access is retained by the attacker. Analysis of the malware identified it was compiled on Monday, March 14th, 2022 at 07:19:32 UTC. While the malware does not share "significant code similarity" with prior wipers, CaddyWipper's deployment is similar to HermaticWiper as ESET tweet states "Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target's network beforehand."