Shields Up Technical Guidance

Immediate Shields Up Actions
• Patch vulnerabilities.
• Use MFA.
• Run antivirus. 
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Disable ports and protocols that are not essential.
• Strengthen controls for cloud services.

Summary

Note: CISA will continue to update this webpage as we have further guidance to impart and additional reporting to share. Information contained on this webpage is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below. See CISA's Shields Up webpage for further steps to reduce cybersecurity risk.

CISA and its Joint Cyber Defense Collaborative (JCDC) partners are responding to ongoing Russian state-sponsored cyber activity in connection with Russia's attack on Ukraine.

Timeline

February 25, 2022.

Conti ransomware actors threaten "retaliatory measures" targeting critical infrastructure in response to "a cyberattack or any war activities against Russia."

• Joint Cybersecurity Advisory – Conti Ransomware (initial publication September 22, 2021) provides tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) for Conti ransomware attacks. The advisory also provides mitigation guidance.
• StopRansomware.gov provides guidance on ransomware protection, detection, and response; and includes ransomware advisories and resources from CISA and other federal partners.

February 23, 2022.

Distributed denial-of-service (DDoS) attack on Ukrainian organizations, including Ukrainian government agencies.

• See announcement from State Service for Special Communication and Information Protection of Ukraine.
• See CISA tip, Understanding Denial-of-Services Attacks.

HermeticWiper malware used to attack Ukrainian organizations. Note: currently, the U.S. Government has not attributed this activity to a particular threat actor.

• Joint Cybersecurity Advisory – Destructive Malware Targeting Organizations in Ukraine provides indicators of compromise (IOCs) and mitigation guidance for HermeticWiper and other destructive malware activity targeting Ukrainian organizations.
• According to Broadcom, upon execution, "the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable."
• According to SentinelOne, the wiper, which is deployed via a signed driver, "targets Windows devices, manipulating the MBR resulting in subsequent boot failure."

January 13, 2022. "WhisperGate" wiper activity targets Ukrainian organizations, including Ukrainian government agencies.

• According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, the ransom note is a ruse because the malware actually destroys the MBR and the targeted files.

Mitigation Guidance and Resources from JCDC and Other Partners

HermeticWiper Malware

• Joint Cybersecurity Advisory – Destructive Malware Targeting Organizations in Ukraine provides indicators of compromise (IOCs) and mitigation guidance for HermeticWiper and other destructive malware activity targeting Ukrainian organizations. Note: currently, the U.S. Government has not attributed this activity to a particular threat actor.
• Joint Cybersecurity Advisory –
• ESET: HermeticWiper: New data‑wiping malware hits Ukraine
• SentinelOne: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
• Broadcom Software: Ukraine: Disk-wiping Attacks Precede Russian Invasion
• Recorded Future: Second data wiper attack hits Ukraine computer networks
• IBM: IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine
• SecureWorks: Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
• Palo Alto Networks: Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
• CrowdStrike: CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks

Related Resources

• Mandiant: Ukraine Crisis Resource Center
• IBM: An Update on the Russia/Ukraine Situation
• SecureWorks: Russia-Ukraine Crisis
• Microsoft: Destructive malware targeting Ukrainian organizations
• Microsoft: Digital technology and the war in Ukraine
• Palo Alto Networks: Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
• Palo Alto Networks: Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
• CrowdStrike: Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next
• CrowdStrike: Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
• CISA: Free Cybersecurity Services and Tools
• CISA: Russia Cyber Threat Overview and Advisories Note: contains links to all related CISA technical cybersecurity publications, including:
  • Joint Cybersecurity Advisory (CSA) – Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
  • Joint CSA – New Sandworm Malware Cyclops Blink Replaces VPNFilter
  • Joint CSA – Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
• CISA webpage – Shields Up
• CISA: Joint CSA – Conti Ransomware
• StopRansomware.gov
• National Security Advisory (NSA) CSA – Stop Malicious Cyber Activity Against Connected Operational Technology
• Joint CSA – Technical Approaches to Uncovering and Remediating Malicious Activity
• NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies 
• CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help organizations assess, identify, and reduce their exposure to cyber threats.