Wiper malware: What is it, history, and prevention

What is wiper malware?

Wiper malware is named after its main function – to wipe files from a hard disk. The basic definition of wiper malware is any malicious software designed to delete files or destroy data on the device it attacks. Wipers are designed to enter systems and destroy them from the inside by deleting files or permanently blocking access to them. These attacks can cripple networks and organizations, leaving them unable to operate normally because of an inability to access their data.

How does wiper malware work?

To fit the definition of wiper malware, software needs to delete, corrupt, or encrypt targeted files. As you can see, this makes for a broad category of malware, and different programs employ varied techniques to attack data. Let’s look at the main ones that have been used in the past.

Techniques employed by wiper malware

1. Detecting files: Wiper malware needs to enter a system and work through hard disks to identify files to attack. It’s important for the wiper to identify files by type. The threat actor’s intention is for the wiper to do as much damage as possible without attacking operating system files. If it attacked all the files for the OS first or even randomly, the device would crash before the targeted files were successfully damaged, leaving the job unfinished. Therefore, most wipers will start with non-OS drives and directories to be sure to keep the system intact as long as possible.
2. Deleting (wiping) files: File deletion is the simplest and most efficient way for a wiper to destroy targeted files. This saves time and processing power, making the attack brief and aggressive. However, because the files are only marked as deleted and not overwritten, they could be recovered by forensic examination of the raw disk.
3. Attacking “masters”: Some wipers have been found to attack a computer’s master boot record (MBR), corrupting it to make it impossible to boot the system. Others corrupt the master file table (MFT) so systems cannot locate any files. However, these attacks don’t destroy the actual files – they could still be recoverable.
4. Overwriting files: While deleting and corrupting master records can leave files intact and recoverable, overwriting them does not. This is a tactic employed by many wipers, which overwrite files and may then also delete them. All or part of each file can be replaced with nonsense or random text and then saved, thus destroying the originals.
5. Permanently encrypting files: Like ransomware, some wiper malware works by encrypting data. They may even pretend to be ransomware, requesting payment in exchange for the decryption key. However, this is a ploy, and the decryption key is actually destroyed by the wiper, rendering file recovery essentially impossible.
6. Destroying drives: Instead of locating and destroying files individually, some wipers attack disk drives directly. They can efficiently rewrite large sectors of a disk, but because they attack the disk in successive order, they may trigger an operating system crash before all targeted files are destroyed.

These techniques don’t need to be used individually, and different wiper malware may use combinations of any or all of them. This is what makes these attacks so destructive and difficult to defend against.

Why are wiper malware attacks deployed?

Different types of malware are used by threat actors to attack organizations, steal information, and even make money. In contrast to these other cybercrimes, wiper malware seems to be unique in its aim to destroy information. Wiper malware attacks are generally deployed against corporations and governments rather than individuals. These are some of the main motivations for deploying these crippling attacks:

Sabotage or hacktivism

Sabotage of a corporation or a government can be a main reason to use wiper malware. By attacking a company’s data, for example, the saboteur can cause untold damage to that business. The business’ reputation could be severely hurt by their inability to provide services as usual or access their customers’ important data. While hacktivism can be motivated by a social cause that may or may not be seen as noble, the effects of using a wiper on targets would be the same as with sabotage.

Cyber warfare

Cyber warfare involves any digital weapons a military can get its hands on. There’s no reason to suspect that militaries wouldn’t use wiper malware as one of many tools to destabilize infrastructure in the territories they’re attacking. In fact, at least seven attacks targeting Ukraine’s government and businesses have been discovered since the start of the Russian invasion of Ukraine. These attacks can destroy data and systems that support both the opposing military and civilians.

Destruction of evidence

Hackers who steal or manipulate data leave traces that investigators can find, unless they wipe their digital fingerprints. By using wiper malware after hacking or espionage, evidence of these acts can be destroyed, and the target is distracted from the actual violation.

Financial gain

Wiper malware that masquerades as ransomware can be deployed for financial gain. The threat actor can withhold access to files until a payment is made and then leave the files encrypted or destroyed by the wiper anyway. This can also help to cover their tracks.

Most notable wiper attacks

The history of wiper attacks is short but destructive. These are some of the most significant attacks seen in the world so far.

• Shamoon, 2012 and 2016: This wiper was directed at companies in Saudi Arabia allegedly in retaliation for crimes and oppression by the Saudi government. It was introduced via phishing emails into local networks and spread to infect thousands of workstations. The wiper destroyed files and replaced them with a picture of a burning American flag, then corrupted the MBRs to make the computers unusable. In 2016, Shamoon was deployed again, this time replacing files with an image of a drowned Syrian refugee boy’s body.
• Dark Seoul, 2013: This attack was linked to the North Korean government and wiped the disks of 32,000 computers of South Korean media and financial companies.
• Notpetya, 2017: Initially a ransomware named Petya, Notpetya was modified and deployed in an attack against over 80 companies in Ukraine as well as others in Germany, Poland, and Russia. It encrypted files permanently on computers infected through a backdoor in a Ukrainian tax preparation program.
• Olympic Destroyer, 2018: Believed to have been created by the Russian hacking group Sandworm, this wiper attack was aimed at disrupting the 2018 Winter Olympics Opening Ceremony in Pyeongchang, South Korea.
• Ordinypt, 2019: This wiper targeted German companies, entering their networks through phishing emails. Once inside, they asked for a ransom to decrypt files but had actually simply deleted them.
• Dustman, 2019: Dustman targeted the Bahrain national oil company, where it overwrote files on infected machines with random data. This attack was linked to Iranian state-sponsored threat actors.
• ZeroCleare, 2020: The ZeroCleare wiper targeted energy and industrial companies in the Middle East. This wiper overwrote the master boot record and disk partitions on machines running Windows and gained access through a vulnerable driver to cause malicious damage. This attack was also linked to Iran.
• WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero, AcidRain, 2022: This series of seven attacks were all aimed at Ukraine, either toward government or business organizations. The wipers used various entry mechanisms and techniques to delete, overwrite, and encrypt files or destroy disks directly. The timing of these attacks, both just before and steadily after the Russian invasion of Ukraine, has led to their connection with the Russian military.

How to prevent wiper malware attacks

Wiper malware attacks can be incredibly destructive. As with all malware, it’s crucial for organizations to protect themselves through increased education, improved security, and greater awareness. Here’s how you can prevent data loss from wiper attacks:

• Backing up data: Keeping another copy of your data, preferably constantly updated and air-gapped from your current network, can enable you to retrieve valuable files that would otherwise be lost in an attack.
• Segmenting networks: Dividing your network into smaller units can help prevent the spread of malware and its devastating effects.
• Managing software security: It’s critical to keep all of your software updated with the latest security patches to prevent malware intrusions. Outdated software can leave you vulnerable.
• Strengthening email security: Phishing emails have been used to infect computers with wiper malware in the past and will continue to be a threat. Adding extra levels of email security, like secure email gateways and cloud email security, will increase your ability to block malicious emails.
• Building up endpoint security: Increasing security measures on all network endpoints can help you restrict access to any threat actors who might have malicious intent towards your organization. This can include controlling apps on devices used on your networks, using powerful antivirus software, and employing a VPN to encrypt your online traffic.
• Monitoring: It’s critical to constantly monitor systems for unusual behavior. System slowdowns and unauthorized users on your networks can be signs of malware attacks that could cripple your organization. If you’re constantly monitoring traffic and system logs, you may be able to catch malicious attacks before they’ve done their damage.
• Responding to incidents: Many organizations don’t have plans in place to respond to malware attacks, but they should! Creating a response team and a response plan with procedures in place, like quickly isolating infected systems, could save your data just in time.

FAQ

What is CaddyWiper malware?

CaddyWiper is data-wiping malware discovered in March 2022. It was used to target Ukrainian organizations by erasing user data, programs, and partition information and spread through Microsoft GPOs.

What is HermeticWiper malware?

HermeticWiper is another example of data-wiping malware which was also targeted at Ukraine, affecting several high-profile websites and computers. This wiper was discovered in February 2022 on the eve of the Russian invasion of Ukraine.

Is a wiper ransomware?

No, a wiper is not ransomware. Ransomware blocks access to personal data or encrypts these files until a ransom is paid. Access to the files is promised to be returned to the owner once the ransom is paid. But a wiper deletes files and programs rather than simply blocking them. Some wipers do masquerade as ransomware but instead permanently corrupt data or delete the files they’re pretending to ransom.