Cybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker “Agrius” The group’s modus operandi involves deploying a custom.NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities. Some of the attacks have been carried out using a second wiper named Deadwood (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased. Researchers: Operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.
Source: https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html