The good people at SentinelOne wrote a great post on HermeticWiper, the destructive piece of malware being used in cyber attacks on Ukraine. We're using the indicators of compromise (IOCs) in that post to bring you this very simple explainer on how to use Gigasheet to detect if any system in your deployment contains the IOCs associated with HermeticWiper. Thank you to SentinelOne, Symantec and ESET as well as everyone else in the community who's pitching in to help fend off Russian attacks.
The entire process explained here requires only free tools, 5 simple steps, and should not require special training or skillsets. If you can use a spreadsheet, you can do this.
1) Sign up for a free Gigasheet account at https://app.gigasheet.com/signup
2) Get the IOCs files The HermeticWipers IOCs are contained in this file. Click the View Only button and save a copy of it into your account.
3) In Your Files, Upload a list of the SHA1 hashes from the files on as many different devices you are monitoring. You can often get this from endpoint security or antivirus products. Here's an example of what that looks like, using 20 different devices totaling 19 million files, with anonymized file names:
Gigasheet can handle files with up to a billion rows.
4) Press Function (Fx) button above your sheet:
and choose Cross File Lookup to compare the IOCs in the HermeticWiper Gigasheet dataset to the hashes in your file
Select the columns to match:
5) A new column will appear, called "Cross Lookup Result".
Filter for matches:
In this dataset, we immediately see which two files (of the 19.4 million we are monitoring) match HermeticWiper IOCs, and now we can move to isolate and patch device_19 and device_22.
We’ve found manual removal instructions on these two sources. Note: we have not yet validated these steps or sources:
We hope this can be of use for less technical sysadmins or those with limited tools and or budgets. If you need help, please chat with us in product or through our support site at http://support.gigashee.com