Arjuna Kodisinghe - stock.adobe.
How to mitigate wiper malware
A wiperware cyberattack can change the game for organizations because it causes complete destruction of data and systems. Find out how to protect your organization.
Many headline-making cybersecurity news stories evolve around phishing attacks and ransomware attacks. But wiper malware, a newer threat vector, might be far worse than phishing and ransomware combined.
What is wiper malware?
As the name suggests, wiper malware erases a victim's systems. Also called wiperware, it is a malicious payload designed to cause total destruction to all of the data and programs in an organization's infrastructure. Wiperware is often used in cyberwarfare and in attacks against government agencies, critical infrastructure and mission-critical business processes.
Unlike ransomware and phishing, which have some possibility for data recovery after an attack, wiperware causes total loss and destruction. Wiperware can be compared to a Category 5 hurricane, while phishing and ransomware can be compared to tornadoes. Because of its wrath and level of severity, wiper malware could drive a company out of business, in that its purpose is to destroy data.
Wiper malware dates to 2012, when Kaspersky researchers published information about Wiper malware used against Iranian computer systems and Shamoon wiperware used against a Saudi oil and gas company.
At the time, wiperware wasn't used widely because it eliminates the profit motive for cyberattackers. The first major wiperware uptick was noticed by several incident response companies in 2022, after Russia invaded Ukraine.
In the years since, wiperware has been used in many high-profile breaches and cyberwarfare attacks. Well-known variants include NotPetya, Industroyer, HermeticWiper, HermeticWizard and HermeticRansom.
Wiperware's impact on a business
Wiperware can affect an organization in four distinct ways:
- Corruption of the master file table. The MFT provides an index for all files stored in the CPU and in other memory in a device. If the MFT is breached, the files are permanently inaccessible.
- Eradication of the master boot record. The MBR provides instructions for the device on the proper boot-up sequence. If this has been affected by wiperware, the system cannot boot up, rendering it useless.
- File encryption. Wiper malware can encrypt files, but unlike ransomware, the decryption key is also completely wiped out. This makes any chance of salvaging the targeted files and systems impossible.
- Overwriting files. Wiperware can overwrite and completely replace all files using null values or binary digits.
Organizations will notice the effects of Trojan Horses, worms, viruses, malware and others at some point, but wiperware is different. Once a business has been hit, it will be immediately obvious because nothing can be accessed on targeted devices, VMs or virtual desktops. By then, it is too late to do anything about it.
What's the motivation behind wiperware?
Since a wiperware attack doesn't result in any real financial gain, the question remains: Why do cyberattackers use it? Following are some key reasons:
- Sabotage. Since wiperware is used primarily for cyberwarfare, it is the tool of choice if the goal is complete destruction of the victim or enemy.
- Create psychological fear. Once there is no chance of data and systems recovery, wiperware can also impact the target on a psychological level. For example, people could start to lose faith in the ability of their organizational leaders or even their entire government if it takes a long time to launch any kind of salvage effort.
- Destroy evidence. Some ransomware variants contain a wiper component. When the two are used together in a security breach, digital evidence of an attack is completely erased, thus rendering any kind of investigation totally useless.
How to mitigate wiper malware attacks
No business or individual is immune to becoming a victim of a wiperware attack. Therefore, prevention is key. Use the following strategies to mitigate wiperware attacks:
- Create backups. If organizations back up data on a regular basis, affected devices can be replaced and the data can be restored onto them. Be sure backups are immutable and distributed.
- Secure email. Phishing is a common way to deploy wiperware. Security teams should create a sound email security policy and deploy email security tools to secure email environments.
- Apply patches and updates regularly. Cyberattackers are constantly looking for backdoors to penetrate. Plenty of these backdoors are in unpatched systems. Stay on top of patches and upgrades to prevent backdoor and vulnerabilities.
- Use MFA and zero trust. Implement and use MFA and zero trust together to help secure account credentials from compromise.
- Secure endpoints. Endpoints are favored targets in which to deploy wiper malware. Secure endpoints using endpoint detection and response, antimalware, mobile device management, data loss prevention and other endpoint security tools.
Ravi Das is a technical engineering writer for an IT services provider. He is also a cybersecurity consultant at his private practice, ML Tech, Inc., and has the Certified in Cybersecurity (CC) certification from ISC2.
