Researchers reported that systems hit by HermeticWiper were also presented with a fake ransomware operation dubbed GoRansom, but the ransom component appeared to be a distraction rather than a genuine extortion campaign. The attack combined destructive wiping activity with a ransom note, creating the appearance of financially motivated malware while the underlying objective was irreversible system damage.
Analysis linked the incident to the broader HermeticWiper intrusion set, indicating that the so-called GoRansom element lacked the hallmarks of a normal ransomware deployment and instead served as cover for sabotage. The operation highlighted how threat actors can blend wiper malware with counterfeit ransom messaging to delay attribution, confuse responders, and mask a destructive attack as ordinary cybercrime.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Securelist published analysis describing the HermeticWiper attack and associated Elections GoRansom activity, characterizing the ransomware component as a smoke screen for the wiper operation. No earlier specific event dates are provided in the reference metadata, so the publication date is used as the event date.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.