Cyberwar in Europe: Unpacking the Ukrainian Wipers
Check out our new podcast, ConversingLabs. Airing every two weeks, ConversingLabs features conversations with the top minds in threat hunting, reverse engineering and cyber defense. Join host Paul Roberts as he interviews threat hunting and threat intelligence experts from ReversingLabs and around the world.
EPISODE TRANSCRIPT
PAUL ROBERTS
Hi, my name is Paul Roberts and I'm the cyber content lead here at ReversingLabs. And I'm here to welcome you to the first episode of a new podcast that we're doing called ConversingLabs. Features conversations about threats, threat detection, and cyber defense. Every two weeks, ConversingLabs will introduce you to the best minds and threat intelligence malware, reverse engineering, threat hunting, and software assurance. We'll take on the news of the day and unpack the latest threats and attacks to help give you critical insights that can help with your own risk assessments and cyber defense. This week, we're focusing on the war in Ukraine and taking a close look at some of the new malware that's appeared in Ukrainian cyberspace, both preceding and following Russia's invasion on February 24. Our guest is Mislav Boroš, who's a threat researcher here at ReversingLabs, and we're going to be talking about an analyzing Hermetic wiper and Isaac wiper, which are two wiper malware variants that have been used to attack Ukraine. We're also going to talk about a third variant, Caddy wiper that's just been discovered in recent days.
PAUL ROBERTS
I'm going to just start out and introduce myself and I'm going to pass it to me, so I've let him introduce himself.
PAUL ROBERTS
My name is Paul Roberts, and I'm the cyber content lead here at ReversingLabs. I'm a longtime cyber security journalist, started a publication called The Security Ledger. And so I've been writing about cybersecurity for about 20 years, and I'm really happy to be working here at ReversingLabs with some of the just top minds in cyber threat intelligence and research, and happy to be able to be here and kind of help along with conversations, Mislov. Tell the folks about yourself.
MISLAV BOROŠ
Hi, Paul, thanks for the introduction. I'm very excited to be a part of this first episode. Hopefully we'll give some insights and know how that people will find interesting. So my name is Mislav Boroš. I'm a threat analyst here in ReversingLabs. I'm actually a part of the Titanium Core team. And Titanium Core, for those who don't know, is actually our static file analysis engine, and most of our other products are built on top of it. It's responsible for file identification, unpacking a lot of different file formats, metadata extraction and behavior indicator extraction and file classification. I've been in information security for ten years, I've been in the military, I've been a penetration tester, and for more than three and a half years I've been a threat analyst here in ReversingLabs.
PAUL ROBERTS
Thanks so much. It's a really impressive resume. So when we're talking about these Ukrainian wiper malware variants, this is something that is really coming to a head right now with the conflict between Russia and Ukraine. Russia's invasion of Ukraine on February 24, but this is not a new phenomenon. In fact, the NotPetya malware, which circulated back in 2017, also began in Ukraine. Looked initially like it was ransomware, but ended up really effectively being a wiper malware. So this is something that we're seeing more and more of and Mislav, just to start off, I thought I'd ask you to kind of talk about the difference for somebody like yourself. What determines whether something is a wiper malware or just ransomware?
MISLAV BOROŠ
Well, the main difference between wiper and ransomware is the goal of the attacker, because the threat actor behind ransomware wants to have some financial gain from the malware. He wants to encrypt your files, and he wants to be able to decrypt them if you pay him. Because if other organizations hit by the same ransomware hear that the malware operators do not successfully recover your files, they won't probably pay them. So they want to have a successful business model where they successfully encrypt their files, probably steal them and threaten to publish them publicly, and they want to get paid. Now, on the other hand, the threat actors behind wiper malware will simply want to destroy data on your computer, have no financial gain, and basically it's just to disrupt services in a certain area or certain organizations, industries and similar.
PAUL ROBERTS
Right. So, I mean, it's all about the outcome. Right. And ransomware, there's an interest in preserving the integrity of the system that you infect, because that's what, ultimately, they are going to pay you to get access back to wipers. There's no such interest. They're really just destructive.
MISLAV BOROŠ
Yeah. Now, there are some multiple families that we like to call wipers, but these are just poorly implemented... Yeah, it's just bad ransomware.
PAUL ROBERTS
So we know that the invasion of Ukraine began on February 24. That's when the kinetic attack began. What's the timeline for the wiper malware? We had two variants that were identified in the sort of early days of the invasion. One was Hermetic wiper, the other was Isaac wiper. And we're going to get into the details of both of those. But what's the timeline on those? Do we have any sense that these predated, the kinetic attack maybe existed and were used for other purposes prior to it, or what do we know?
MISLAV BOROŠ
Well, we can go a few weeks back to January, where Ukraine suffered another wiper attack called West Brigade. And actually this malware presented itself as ransomware. But quickly, researchers saw that the data was practically un-recoverable because also it would wipe the master boot record, which is actually the first sector on the disk where all the data about the logical partitions. And basically it shows where the operating system is located. So this is similar to the way NotPetya operated back in 2017. And it was kind of a foreshadowing of what was going to happen when the kinetic attack actually started. So ESET research actually found the sample on, I think, February 23. And as soon as they published their research, we found the samples in our Titanium Cloud, which we probably got into our network of malware sharing. Yeah, I can show you something interesting. When talking about the timeline, I'll share you a view from the A1000, which is our malware analysis platform. It basically has the static analysis results, dynamic analysis results, and combined with other threat data such as AV results and similar. So one of the samples had the encoded timed stamp dated to 28 December 2021.
MISLAV BOROŠ
So if this wasn't tampered, with, it probably means that this was compiled months ago and was probably stockpiled and was waiting to be used in something large scale such as this. This isn't really uncommon for probably an actor of this caliber, where they tend to stockpile, as we'll show later certificates, they try to stockpile other malware, they try to stockpile access to networks and just try to use them all at once to maximize the damage done. Because after they use them, they effectively burned all of those.
PAUL ROBERTS
For whatever threat actor was responsible for this, this was something that they had on the shelf ready to go at least two months ahead of the actual attack. You can tell that by the time stamp. That's really interesting.
MISLAV BOROŠ
Yeah.
PAUL ROBERTS
One of the other interesting aspects about this Hermetic wiper is and part of the reason it's called Hermetic wiper is that the malware was actually signed with a valid extended validation certificate. So these are digital PKI certificates that with EV certs, you're actually doing a lot more work upfront to identify yourself and verify your identity to get the cert. And it was signed with one of these, I guess talk about that, Mislav. Why would they go through that trouble? And how common is it that you're seeing malware, ransomware, wipers, whatever, signed with EV certs?
MISLAV BOROŠ
Well, I'll show you another screen in our AV output. So this is what you were talking about. So the malware is actually signed by a certificate that was issued to Hermetica Digital Ltd. Now this is actually a company from Cyprus, one man company. And it was actually found that the person behind the company actually did no development work at all. He was basically a content creator - a writer, basically. So what we have here is actually a fraudulently issued certificate. So the threat actor behind the attack actually had to go through some social engineering, some human, to get in contact and to really get this certificate issued. And just to expand on the timeline, this certificate is valid from April 13. So this just goes - I was saying a bit earlier that the trade actor of this caliber would stockpile all of these assets like certificates, different malware, access to different networks and other.
PAUL ROBERTS
And you can see the issuing CA certificate authority there is Digicert - a very highly respected CA - a U.S. based CA. And so what you're saying is there was actually, even before the malware was created, there was this additional work that was going on to obtain this certificate. So this was an issued certificate, not simply one that was stolen, it was issued to the threat actors who were posing as this Hermetica Digital Ltd. Again not a software publisher, so shouldn't need a code signing certificate, but one was issued to them as far back as April 2021. So that pushes the date back almost a year before the actual attack.
MISLAV BOROŠ
Yeah. Use of stolen or forged certificates is nothing new. We've written several blog posts about it a few years back but it all shows that this is a planned attack that involved forethought and execution well in advance of the deployment of the malware itself.
PAUL ROBERTS
Right. And - not to belabor the point - but like to use that extended validation sort that legitimately issued and vouched for certificate, that's going to make it much harder for endpoint detection or tools to assess that this is actually malicious code as opposed to legitimate code if it's signed by a CA that's vouching for the code. Right.
MISLAV BOROŠ
Not to get into specific names but some tools are like short circuited when the file is successfully signed with a valid certificate.
PAUL ROBERTS
This is all about avoiding detection, obviously. One of the other interesting things that I know we talked about this and that you brought up was that when you look deep into Hermetic wiper, one of the other things you found was that it was reusing actually some commercial disk partitioning components - libraries that are not in and of themselves malicious. Can you talk about that? And how often do you see that with either wiper, malware or ransomware that they're leveraging a legitimate partitioning tool to do their dirty work?
MISLAV BOROŠ
Sure. So basically this became a bit fishy when we saw that the original sample, if you look at the exact files besides this icon, generic and PNG resources which are pretty common for Microsoft compressed resources and luckily these are automatically decompressed and unpacked with Titanium Core and we could see that these were actually PSYS files which are actually device drivers. So the model itself comes with four different drivers which are actually also signed, which are actually easy use partition Master which is actually a free partition software use for partitioning the hard drive and reorganizing this space like any other partitioning tool. Right. We can see that it's a bit older software and I think the attackers didn't completely trust the software. We'll talk a little bit about later about that, right? Yeah. And you mentioned like usage of legitimate tools, so yeah, this is a legitimate tool. It's by itself, it's not malicious and it's not uncommon for malware to use like third party libraries to leverage their functionalities for their own gain. But it's not that common, I haven't seen it in Vipers to use partitioning software in such way.
PAUL ROBERTS
What do you think is behind that Mislav? Why use this legitimate partitioning component? What was the advantage they were getting by that? Was it just about speed, kind of time to complete the malware itself, or was there something else going on?
MISLAV BOROŠ
So they actually did a very thorough job to wipe the disk. Like, you can override the master boot record we talked about, over any other sectors like the MFT of the NTFS. That's the master file table. You would need some workarounds or some custom code, but they use drivers just for that. So just to expand the drivers a bit, like we've seen four different drivers. So the malware, before installing these drivers, has to actually decide which drivers to install. So queries some system information and decides, depending on if the system is 32 bit, which version of the operating system is running, which driver to install. And to install the driver, it has to load the driver privilege, which we also immediately saw in our static behavior indicators. It's here at the top. So even before dynamically analyzing the samples, we already knew that it was going to install these drivers. But what threw us off at first a little bit was they were legitimate drivers, so there weren't any malicious code that was actually part of them.
PAUL ROBERTS
So, in theory, from a threat detection standpoint or analysis detection, would that make it harder to know that this was a malicious versus a legitimate program?
MISLAV BOROŠ
Well, it gives like a heads up to what the malware might actually do, but it still doesn't paint the whole picture.
PAUL ROBERTS
Right. So I think one thing to keep in mind is Hermetic wiper was actually just one component of this wiper attack on these organizations within Ukraine, and that there were other companion malware that went along with it. And there have been two that have been identified. One was the Hermetic Wizard. And then there was another kind of almost like, decoy program called Hermetic Ransom. Can you tell us what we know about those?
MISLAV BOROŠ
Yes. It was initially reported that the Hermetic Wiper was pushed through global policy updates, which means that the attackers had access to systems and two organizations networks. But it was also spread using the Hermetic Wizard, which is actually a worm that contains three different DLLs to our spreader components. And one is the Hermetic wiper itself. And it's also signed by the Hermetica digital signature, and it's got its name through the export name. It's called Wizard DLL. So what the Hermetic Wizard actually does is just enumerates all the available network resources and tries to connect to different ports of the available resources through FTP, SSH HTTP or others and, simply copies the payload, which is the worm itself, to another computer and then runs the wiper malware.
PAUL ROBERTS
This is typical kind of worm behavior.
MISLAV BOROŠ
Yeah, just like we've seen in NotPetya. But NotPetya had the luck that it leveraged the Eternal Blue exploit which, in enterprise environments which didn't keep up with the patches, were mostly vulnerable, which led to the widespread of NotPetya malware.
PAUL ROBERTS
So we saw the same stuff. If I recall, we saw the same mix. So you mentioned the group policy and kind of leveraging like active directory compromises to spread the malware and then also this worm component which is looking to exploit open ports or vulnerabilities or whatever we saw that actually with NotPetya as well, if I recall. Also like that dual approach. Obviously you're looking to spread as quickly as you can and using as many different strategies to do that as you can.
MISLAV BOROŠ
Yes. Not that you also use the PS Exec with the dumped hashes alongside with the Eternal Blue, so that maximized it.
PAUL ROBERTS
Right, so the difference is that Eternal Blue exploit, highly effective, and it was Windows based, so just a lot of vulnerable systems out there that hadn't patched at the time.
MISLAV BOROŠ
Yeah, I was in pen testing at the time and it was actually our bread and butter for a year.
PAUL ROBERTS
Yeah, a full employment act for pen testers and for that Hermetic ransom piece. What do we know about that thing?
MISLAV BOROŠ
Yeah, it was also called Party Ticket.
PAUL ROBERTS
Party Ticket, yes. Right.
MISLAV BOROŠ
Yeah, by some researchers. It was actually a ransomware written in Go, and basically it was just a decoy just to throw people off while the Hermetic Viper did its job.
PAUL ROBERTS
The background, kind of creating a distraction for security teams, what have you.
MISLAV BOROŠ
Yeah, I mean, ransomware is so widespread today, they would probably think that it's just another ransomware attack, so they would probably throw some alerts off and write it off, like being a part of that. We resolved the threat and actually the real threat was still present on the system.
PAUL ROBERTS
So let me just message to the attendees, we are going to be taking questions and answers shortly, so you can use the Q and A feature on Zoom webinar, and if you've got a question for Mislav around either Hermetic wiper, Isaac wiper, or other questions, feel free to ask them and we'll take those questions very shortly. So just want to make you aware of that. Can we talk about the Isaac wiper threat that also was identified subsequent to Hermetic wiper?
MISLAV BOROŠ
Okay, yeah, sure. So a day afterwards, Isaac Wiper was discovered, and it was discovered it wasn't deployed on the same network as Hermetic Wiper, which probably tells us that the actors behind the Isaac Wiper were in some sort of coordination with the actors behind the Hermetic Wiper. So what's interesting is that it's much less sophisticated than the Hermetic wiper and its initial name was due to a certain number generator it used to corrupt files. It eventually turned out that it wasn't the Isaac random number generator, but the name stayed. So unlike the Hermetic Wiper...
PAUL ROBERTS
So it was using this random number generator to just throw junk data into...
MISLAV BOROŠ
Files yes, at the beginning of the files, at the beginning of the master boot record and so on. So, yes, unlike the Hermetic Wiper, it was not digitally signed, so they didn't use. So either this was used by another threat actor or they didn't have another certificate available. Probably they could use the same certificate because the time frame was practically a day apart. So what's interesting about the Isaac Wiper is the presence and what really shows the lack of sophistication is the presence of the debug strings. Like the malware is pretty easy to analyze because it had all these strings. Like when it enumerated logical drives, it would print them to a file. When it started erasing logical drives, it would print that to a file. So it was really easy to pinpoint which function does what and to create a detection rule really quickly for it. So these random prints are something that we who are not, like, full time developers are all guilty of just putting random prints, random places in the code just to see where the bug actually is. Now this tells us that probably the malware didn't work as intended initially, so they probably didn't corrupt old hard drives.
MISLAV BOROŠ
They wanted to see if the enumeration is going right. And what's also notable is that it does its corrupting in a single threat. So this probably mean it's very slow.
PAUL ROBERTS
So this is malware that they deployed really before it was working reliably.
MISLAV BOROŠ
So it probably means that they probably mobilized all the assets they had from probably different directors and just try to get everything out there and throw everything at once and that's it.
PAUL ROBERTS
So for organizations or folks who are online who are concerned about these types of threats in their own environment and again, as people have pointed out, there's nothing, these are not gated threats in any way. They're not checking for Ukrainian language keyboards or IP addresses. So these are threats that could easily spread beyond Ukraine. So if they're worried about these or other similar types of threats, wiper threats, any suggestions or tips for how they can improve their threat detection, improve their threat hunting? Kind of use some of the information that you've presented here to help them.
MISLAV BOROŠ
Well, what's really scary is that it looks like the attackers had initial access to the compromised systems. So if you would have something which is something like a phishing email, which is of low complexity, you know where to look for it. But this would probably specifically, I mean each organization that was targeted was probably targeted in a new unique way where the attacker manual attackers probably did recon, found out where the entry points were when establishing a foothold, did some lateral movement to enable just to get to the domain controller, which basically means access to the whole enterprise network. So there's no simple way to answer how to protect from it. We can suggest endpoint protection and deploying different detection rules (cross talk) but you really have to work from the ground up and do everything that makes lateral movement harder. Stuff like using labs, not using admin passwords, not using domain admin accounts to log in to different machines other than the domain controller, and just stuff like that. Good security practices in combination with some good security solutions, and just to have the oversight of what's happening on your network so you have the time to respond.
PAUL ROBERTS
We're going to take questions in a second, so if you've got them, use the Q&A feature. So, Mislav in the last couple of days, he said, and others have identified yet another wiper. This one called Caddy Wiper, also circulating on systems and networks in Ukraine. Has ReversingLabs had a chance to take a look at that?
MISLAV BOROŠ
Well, yeah, we already wrote a YARA detection rule for it as soon as it was available. So I think it came in on Monday. And it had no code level similarities to Hermitic wiper. Or is it wiper? It was not digitally signed. It does destroy the user data and goes through all the disk partitions and overwriting them. And it has one interesting feature that actually tells us that it's targeting the enterprise environment, is that it checks if it's being run on a domain controller. This is probably due to the attackers don't want to destroy the whole domain and keep the access to the system for possible future attacks.
PAUL ROBERTS
Really interesting. And we'll share, actually, the link. So you mentioned ReversingLabs publishes YARA rules for a lot of different threats, and we've got them for Isaac Wiper, Hermetic Wiper, and Caddy Wiper. We've released those in the last couple of weeks. So we'll share that link on the chat as well so that folks can hold on for everyone, not just for the panel.
MISLAV BOROŠ
So we tend to respond to these threats as quickly as we can and share them for everyone. So everyone is free to download them on our public GitHub repo.
PAUL ROBERTS
Just in case people don't know, what can they do with these YARA rules? How can they operationalize them?
MISLAV BOROŠ
Well, we tend to write these Cr rules to be classifications, not threat hunting rules, but you can use them with regular YARA executable just to search for the probably for the files on your system.
PAUL ROBERTS
All right. Hey, Carolynn, do we have any questions for Mislav?
CAROLYNN VAN ARSDALE
We do have a few questions. Hi, everybody. My name is Carol, and I'm a cyber content creator here, ReversingLabs. So let's get started with some questions. So, first question for you, Mislav: have you only seen these wipers in Ukraine, or have you seen samples of them discovered in other countries?
MISLAV BOROŠ
Well, actually, they came to prominence in Ukraine, especially in last few months, but there were some wiper reports being used in Iran, being used in Saudi Arabia, being used by North Korea, like, even in the Sony attack a few years back. But they really came to prominence with NotPetya. And in the recent few months.
CAROLYNN VAN ARSDALE
Next question for you, one that I hopefully, you can answer. What was the language or languages the attacker used to write these wipers? Is there any pattern there?
MISLAV BOROŠ
Well, there isn't any special pattern. There are no apparent similarities between all these wipers. But they did ride the Hermetic Wiper in GO, so that was probably because they needed to do it quickly, something to throw people off. So they probably used GO for that.
CAROLYNN VAN ARSDALE
Next question. What Linux malware are you seeing being exploited in the wild against Ukraine?
MISLAV BOROŠ
Well, we haven't seen anything of what would be as widespread as the wipers, most probably due to the fact that these attack enterprise networks, which are all on Windows AD, so mostly these are the ones that we analyze.
CAROLYNN VAN ARSDALE
Okay, and then we have one last question right now. Did Caddy Wiper target Russian keyboards at all?
MISLAV BOROŠ
I believe not. None of these wipers actually had switches like this that they were ignored certain keyboards or certain areas like Poll mentioned IPS or anything similar.
PAUL ROBERTS
So, I mean, what should we know about there's been a lot written about these just because of their connection with Ukraine. Is your sense misoft that these are pretty widespread within the country and that they're out there and they're going to kind of be with us for a while, or are they getting a lot of attention because of the context, but compared to other threats that are out there now, conte or whatever, not such a big concern for organizations that aren't actually in the war zone.
MISLAV BOROŠ
Well, they definitely showed the effect of the Mueller that it can have really like widespread effect. So basically I think the context has a lot to do with it, and this is probably not the end of it. I'm not sure if there would be any sense for the same attackers to attack someone outside the Ukraine currently, but I don't know. We will see.
PAUL ROBERTS
And I know one of the interesting points you made to me before is like, you can really see the effort and planning that went into Hermetic wiper. That for the groups, whether they're nation state groups, cyber criminal groups, terrorist groups, whatever. If they want to, they're going to put a lot of time and effort into creating this malware and equipping it like with the extended validation cert, it might take months of planning, but the payoff for them is very high effectiveness. But they're not going to just burn that type of a threat on a low value target or they're going to save those for very special operations.
MISLAV BOROŠ
Most definitely they really want to spread the effect of the malware as much as they can. So what we've seen actually, like, the Caddy Wiper came two or three weeks after. So I don't know if they needed to have some more time to develop another wave of the attack. They didn't count on that another a wave should be necessary. We'll probably see more of those while this conflict continues. Probably not as advanced as Hermetic Wiper, but certainly they have some more in their sleeves.
CAROLYNN VAN ARSDALE
We do have some more questions.
PAUL ROBERTS
Okay, go ahead. (Cross talk)
CAROLYNN VAN ARSDALE
So, were any of the Hermetic, Isaac and Caddy Wiper samples found in Titanium Cloud prior to the start of the war? And if so, were they detected as malicious prior to the ESET research being published?
MISLAV BOROŠ
So, no, we didn't have any samples in the cloud before, but we did manage to capture some parts of the Hermetic bunch. Like with our ML model, we caught the ransomware, but with our ransomware model and we did actually caught the Hermetic Wizard with our experimental ML model as well. So theoretically, if they were in cloud before, we would have classified them, but they weren't.
CAROLYNN VAN ARSDALE
Okay, cool. Another question for you. Did you notice any similarities from the BDP paths and code similarities with other threat actors?
MISLAV BOROŠ
So, no, we cannot still do any attribution. We just have circumstantial evidence that point to Russia and that's mostly it.
CAROLYNN VAN ARSDALE
Okay, so that's all we have for now. If anybody has any more questions, please use the Q&A function. But for right now, I think we're good.
PAUL ROBERTS
And for most organizations, right, attribution is a little bit secondary, right? Like you're focused on defense and detection and that in some ways is independent of who's behind the threat. Although obviously it is really important to know and there are bigger implications behind these. Really good questions from everybody. Thank you so much. And this will be recorded. This is being recorded and it will be available for viewing after the fact. We'll send you a link when it's up on our website. So before we go, we actually have for all of you, thank you for joining us for our first ever ConversingLabs episode. And we have a T shirt giveaway. We've got a certain number of T shirts to give away, and to kind of qualify for a T shirt, we're going to give you a little three question poll. And I think I can probably do this. This is the first question, and for everybody who answers the three questions right, you will get a T shirt and we'll follow up with you to get the mailing address. This is North America only, I'm afraid, so if you're attending from somewhere else in the world, we'll get some other gift out to you.
PAUL ROBERTS
But T shirts are a North American thing, and the correct answer for those of you who took it, obviously was three. Sorry, was question answer number four. ESET discovered it the Hermetic wiper initially, and Isaac Wiper as well. Okay, second question here. The name Hermetic wiper comes from, what does it come from? The Malware's Secret hermit -like qualities. The Malware's superior construction. Hermetica Digital, the company that Malware claimed to belong to. Ending that poll. Okay, 91% got the right answer, which was Hermetica Digital company. Malware claim belong to Cypriot, one person company not involved in software development. But thank you to those three people who solve for the Hermit like. Qualities that makes me feel good. Okay, final question. This is for all the marbles. This is for the T shirt. Sorry. Wiper malware generally. This is wiper malware generally, not hermetic wiper, but wiper malware generally has only been observed in the wild in Ukraine, has been observed in the wild in other countries besides Ukraine, or is incredibly common and has been observed in the wild everywhere.
MISLAV BOROŠ
Okay.
PAUL ROBERTS
Split pretty evenly. I think the correct answer. Has been observed in the wild in other countries besides Ukraine, but is not incredibly common, and certainly it's not the case that it's only been ever been observed in Ukraine. Mislav, would you back me up on that?
MISLAV BOROŠ
Well, you could actually I would take both of the answers.
PAUL ROBERTS
That's correct.
MISLAV BOROŠ
It's a gray area.
PAUL ROBERTS
Okay, well, it's a gray area. What does it mean to be incredibly common? Right. I guess that's kind of where the gray area is. So we'll give you credit if you had two or three. I think my point in the question was kind of like wiper malware isn't just limited to Ukraine, and yet it's not as common, just as run-of-the-mill ransomware. It's a little bit observed in more selective settings, but not just in Ukraine. But, yes, if you did two or three, we'll give you credit for that, and we will reach out to you and get your contact information so that we can send you a ConversingLabs T shirt or some other more available premium if you're outside of the United States. Okay, that's our conversation for today. Thank you all so much. This is going to be ConversingLabs is going to be a regular series. We're going to be coming to you every couple of weeks with another conversation about threats, threats detection, secure software development, and software supply chain issues as well. And we're going to be talking to Mislav and some of the other great researchers here at ReversingLabs and at other organizations.
PAUL ROBERTS
So thanks so much for joining us, and we hope to see you back here at our next episode. And, Carolynn, thanks for all your help managing the audience. And we'll do this again. Mislead, that was a great presentation. Thank you so much for sharing your time with us. I hope you're enjoy the discussion, and if you like what you hear, do us a favor and give us a thumbs up on your favorite podcast platform. Thanks, and I hope you enjoy the show.