CaddyWiper is the forth wiper detected that is targeting Ukraine infrastructure. It erases user data and partition information from attached drives. CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target's network. CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

CaddyWiper Signatures

Family: DoS:Win32/CaddyBlade.A!dha
MD5: 42e52b8daf63e6e26c3aa91e7e971492
SHA256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

CaddyWiper Download

Download CaddyWiper Sample