A Quick Walk-through on Wiper Malware !

Wiper Malware and Its Types

How does Wiper Malware work?

Cybercriminals design malware to often intentionally harm an enterprise or individual. Often we think ransomware variations are the deadliest. If so, you need to think again. In the case of most ransomware attacks, we can retrieve all encrypted data through ransom or negotiations. But the wiper malware does not intend to gain monetary benefits but causes destruction and damage to the information where it detonates. Due to the growing cyberattacks, the web security market will grow (approx.) 8 billion USD by 2026, according to Statista. Researchers have uncovered (tweeted) that the wiper malware (WhisperGate) is assaulting many Ukrainian organizations. This article will cover what wiper malware is and how it works.

What is wiper malware?

The Wiper malware is a well-known class of malware whose purpose is to wipe or destroy data entirely such that no recovery tools and techniques can bring those data back. Along with data loss, it causes damage to reputation and financial loss also. It will not steal money or information and sell it to malicious third-party. The attacker will deploy this malware through actionable links and messages. Once it explodes, it attempts to delete & damage everything permanently and cover up the attacker’s footprints post-data exfiltration.

PacketLabs can provide guidance towards security against such malware threats. Very recently, this destructive malware hit Ukrainian systems affecting government systems, financial institutions & some private organizations also. Some deadly variants of Wiper malware are:

· Caddywiper

· NotPetya

· Skywiper

· Meteor

· Hermetic wiper

· WhisperGate

How does Wiper Malware work?

Cybercriminals may use different techniques and approaches to deploy wiper malware and then detonate them. Some cybercriminals use emails, political posts, actionable links, messages, etc., to deploy the wiper malware. Now, if we take a deeper look at the anatomy of the wiper, we will find that there are three different elements that a Wiper targets. All the files or the data that the system has, the boot sector of the OS & backup mechanisms, or temporary files of the system associated with the data. Amongst all the three targets, file destruction takes the lengthiest time.

Meanwhile, this malware does not waste precious time; and hence does not overwrite the entire disk drive. It instead writes small amounts of data at particular intervals randomly for destroying the files. Once the data deletion is in progress, the wiper explicitly targets the system recovery files to exterminate them permanently so that users find no option to recover those data back.

Well-known Examples of Wiper attacks –

Wiper malware poses a sincere impact on the organization where it gets deployed. Over the past decade, it has shown severe repercussions across the globe. Here is a list of real-world scenarios and attack examples of wiper attacks.

· NotPetya: It is one of the deadliest wiper variants that came into the picture in 2017. This malware costs 10 billion USD damage to multinational companies. This variant is unique because it shows as if it is ransomware. But actually, it takes time to wipe all data by asking for ransom.

· Shamoon: From 2012 to 2016, this wiper malware targeted Saudi Aramco & various other middle-east oil companies & damaged more than thirty thousand hard drives through a direct drive accessing driver name RawDisk.

· ZeroCleare: This wiper variant came into the picture in 2019 when this infamous malware attacked various energy factories and firms in the middle-east. It specifically overwrites MBR and disk partitions on Windows systems through EldoS RawDisk.

Conclusion –

If a system becomes a target of wiper attacks, it won’t be a covert attack like spyware or other Trojans. The network & system monitoring team will see malicious changes in the system behavior and might witness a massive deletion of files. Data backup to another location without internet connectivity or other explicit connection is the only way to restore such attacks. Security companies like PacketLabs can guide you on how to protect against such attacks.